Pix and BGP question

Unanswered Question
Jan 4th, 2009

I do not have a Pix at the moment to test to I'll ask this question:

R1---(i)Pix(o)---R2

R1 is doing eBGP with MD5 authentication with R2. Pix is in routed mode.

With Pix code 6.3.x, I have to do this:

static (i,o) r1 r1 netmask 255.255.255.255 norandom

Question:

With version 7.x or 8.x, let say the only thing I have on the Pix

is "no nat-control". Do I still need to modify the inspection

so that eBGP with MD5 authentication to work across the Pix? In

version 7.x and 8.x code, by default, does the Pix/ASA automatically

randomize the TCP sequence between interfaces?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Tue, 01/06/2009 - 06:46

The document is not clear on what I asked.

As you can see in the example, it has

static (i,o) x.x.x.x x.x.x.x /32 in there.

My question has to do with "no nat-control"

and NO static, do you still need policy map

for eBGP with MD5 authentication

sachinraja Tue, 01/06/2009 - 08:55

You will still have to configure policymap, for md5 authentication, starting from 7.x.. with 6.3, it was allowed explicitely, but not from 7.x.. Interesting material that I saw online:

"When BGP is configured with authentication, two things happen. First, an MD5 hash is computed including the password and the TCP sequence number of the packet, among other things. Second, that hash is attached to the packet via TCP option 19.

By default, a security appliance running 7.x clears option 19 and offsets the sequence number by a random number, per TCP flow. This makes BGP really unhappy when it is transiting the firewall. So, lets allow option 19 back through. To do this, you should configure the inspection of the BGP traffic and then configure a tcp-map that can be used when the ASA inspects the BGP TCP packets. Assign it all to a policy map and service policy and you're good.

the routers still aren't happy.

There are two ways to disable the randomization when the security appliance is in routed mode. The first way is accomplished via the static command.

static (inside,outside) 136.1.121.1 136.1.121.1 netmask 255.255.255.255 norandomseq

In transparent mode there is no NAT, so the norandomseq switch can't be used on the static command. Instead, the randomization needs to be shut off when the packet gets inspected. Returning to the class of traffic we configured earlier, we can disable the randomization for only our BGP traffic:

class BGP_TRAFFIC

set connection random-sequence-number disable

set connection advanced-options BGP_TCP_MAP

Now things should working and the neighbours should be UP "

Does this answer your question ? All the best. rate replies if found useful..

Raj

Actions

This Discussion