Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Pix and BGP question

I do not have a Pix at the moment to test to I'll ask this question:


R1 is doing eBGP with MD5 authentication with R2. Pix is in routed mode.

With Pix code 6.3.x, I have to do this:

static (i,o) r1 r1 netmask norandom


With version 7.x or 8.x, let say the only thing I have on the Pix

is "no nat-control". Do I still need to modify the inspection

so that eBGP with MD5 authentication to work across the Pix? In

version 7.x and 8.x code, by default, does the Pix/ASA automatically

randomize the TCP sequence between interfaces?


Re: Pix and BGP question

Hello David

Consider BGP as any other TCP connection.. Refer to the following URL.. might be of good help to you:

Let us know..



Re: Pix and BGP question

The document is not clear on what I asked.

As you can see in the example, it has

static (i,o) x.x.x.x x.x.x.x /32 in there.

My question has to do with "no nat-control"

and NO static, do you still need policy map

for eBGP with MD5 authentication

Re: Pix and BGP question

You will still have to configure policymap, for md5 authentication, starting from 7.x.. with 6.3, it was allowed explicitely, but not from 7.x.. Interesting material that I saw online:

"When BGP is configured with authentication, two things happen. First, an MD5 hash is computed including the password and the TCP sequence number of the packet, among other things. Second, that hash is attached to the packet via TCP option 19.

By default, a security appliance running 7.x clears option 19 and offsets the sequence number by a random number, per TCP flow. This makes BGP really unhappy when it is transiting the firewall. So, lets allow option 19 back through. To do this, you should configure the inspection of the BGP traffic and then configure a tcp-map that can be used when the ASA inspects the BGP TCP packets. Assign it all to a policy map and service policy and you're good.

the routers still aren't happy.

There are two ways to disable the randomization when the security appliance is in routed mode. The first way is accomplished via the static command.

static (inside,outside) netmask norandomseq

In transparent mode there is no NAT, so the norandomseq switch can't be used on the static command. Instead, the randomization needs to be shut off when the packet gets inspected. Returning to the class of traffic we configured earlier, we can disable the randomization for only our BGP traffic:


set connection random-sequence-number disable

set connection advanced-options BGP_TCP_MAP

Now things should working and the neighbours should be UP "

Does this answer your question ? All the best. rate replies if found useful..


CreatePlease login to create content