Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

issue for BGP with md5 through pix 7.1

hello all,

i have a problem with ebgp with md5 through pix7.1.

as you know, to pass bgp with md5 traffic for the pix6.3, i should configure a special configuraiton. it's norandom sequence number at the static nat configuraiton.

static (i,o) 1.1.1.1 1.1.1.1 norandomseq

thus, in the pix 6.3, thre is no issue for ebpg with md5 through pix.

but, after upgrading pix from 6.3 to 7.1, the bgp with md5 not work properly.

please let me know, how can i pass the ebgp with md5 traffic on the pix 7.2 code?

regards,

john.

2 REPLIES
New Member

Re: issue for BGP with md5 through pix 7.1

hi john the problem with pix 7.0 code is that . what actually happens is when authentication is set with bgp . there is hash of the payload send along with the tcp segment. this is called the option 19 in tcp.

pix by default removes any tcp options set with it.

to get this thing resolved i am sure u would have heard of something called a tcp map. in the tcp map set the parameter for setting the option 19.

it will resolve ur problem for sure.

i am not sure abt the commands but i have done it before.

hope this helps.

regards

sebastan

Silver

Re: issue for BGP with md5 through pix 7.1

BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options, the following tcp-map must be applied:

tcp-map BGP-MD5

tcp-options range 19 19 allow

class-map BGP-MD5-CLASSMAP

match port tcp eq 179

policy-map global_policy

class BGP-MD5-CLASSMAP

set connection advanced-options BGP-MD5

set connection random-sequence-number disable

Also note that randomization of TCP sequence numbers Must be disabled (you have already taken care of this using the "norandomseq" option in static command).

This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF an apply it via the policy-map. In addition, the addresses cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header, therefore none of it can be changed.

Hope this resolved the issue.

Regards,

Vibhor.

300
Views
14
Helpful
2
Replies
CreatePlease login to create content