hi john the problem with pix 7.0 code is that . what actually happens is when authentication is set with bgp . there is hash of the payload send along with the tcp segment. this is called the option 19 in tcp.
pix by default removes any tcp options set with it.
to get this thing resolved i am sure u would have heard of something called a tcp map. in the tcp map set the parameter for setting the option 19.
it will resolve ur problem for sure.
i am not sure abt the commands but i have done it before.
BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options, the following tcp-map must be applied:
tcp-options range 19 19 allow
match port tcp eq 179
set connection advanced-options BGP-MD5
set connection random-sequence-number disable
Also note that randomization of TCP sequence numbers Must be disabled (you have already taken care of this using the "norandomseq" option in static command).
This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF an apply it via the policy-map. In addition, the addresses cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header, therefore none of it can be changed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :