Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
14
Helpful
2
Replies

issue for BGP with md5 through pix 7.1

johnyoon75
Level 1
Level 1

‎02-23-2007 08:23 PM - edited ‎03-11-2019 02:37 AM

hello all,

i have a problem with ebgp with md5 through pix7.1.

as you know, to pass bgp with md5 traffic for the pix6.3, i should configure a special configuraiton. it's norandom sequence number at the static nat configuraiton.

static (i,o) 1.1.1.1 1.1.1.1 norandomseq

thus, in the pix 6.3, thre is no issue for ebpg with md5 through pix.

but, after upgrading pix from 6.3 to 7.1, the bgp with md5 not work properly.

please let me know, how can i pass the ebgp with md5 traffic on the pix 7.2 code?

regards,

john.

Labels:
0 Helpful
2 Replies 2

sebastan_bach
Level 4
Level 4

‎02-23-2007 11:04 PM

hi john the problem with pix 7.0 code is that . what actually happens is when authentication is set with bgp . there is hash of the payload send along with the tcp segment. this is called the option 19 in tcp.

pix by default removes any tcp options set with it.

to get this thing resolved i am sure u would have heard of something called a tcp map. in the tcp map set the parameter for setting the option 19.

it will resolve ur problem for sure.

i am not sure abt the commands but i have done it before.

hope this helps.

regards

sebastan

vitripat
Level 7
Level 7

‎02-24-2007 04:18 AM

BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options, the following tcp-map must be applied:

tcp-map BGP-MD5

tcp-options range 19 19 allow

class-map BGP-MD5-CLASSMAP

match port tcp eq 179

policy-map global_policy

class BGP-MD5-CLASSMAP

set connection advanced-options BGP-MD5

set connection random-sequence-number disable

Also note that randomization of TCP sequence numbers Must be disabled (you have already taken care of this using the "norandomseq" option in static command).

This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF an apply it via the policy-map. In addition, the addresses cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header, therefore none of it can be changed.

Hope this resolved the issue.

Regards,

Vibhor.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card