Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

Pix and BGP question

I do not have a Pix at the moment to test to I'll ask this question:

R1---(i)Pix(o)---R2

R1 is doing eBGP with MD5 authentication with R2. Pix is in routed mode.

With Pix code 6.3.x, I have to do this:

static (i,o) r1 r1 netmask 255.255.255.255 norandom

Question:

With version 7.x or 8.x, let say the only thing I have on the Pix

is "no nat-control". Do I still need to modify the inspection

so that eBGP with MD5 authentication to work across the Pix? In

version 7.x and 8.x code, by default, does the Pix/ASA automatically

randomize the TCP sequence between interfaces?

3 REPLIES

Re: Pix and BGP question

Hello David

Consider BGP as any other TCP connection.. Refer to the following URL.. might be of good help to you:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml#asa

Let us know..

Raj

Silver

Re: Pix and BGP question

The document is not clear on what I asked.

As you can see in the example, it has

static (i,o) x.x.x.x x.x.x.x /32 in there.

My question has to do with "no nat-control"

and NO static, do you still need policy map

for eBGP with MD5 authentication

Re: Pix and BGP question

You will still have to configure policymap, for md5 authentication, starting from 7.x.. with 6.3, it was allowed explicitely, but not from 7.x.. Interesting material that I saw online:

"When BGP is configured with authentication, two things happen. First, an MD5 hash is computed including the password and the TCP sequence number of the packet, among other things. Second, that hash is attached to the packet via TCP option 19.

By default, a security appliance running 7.x clears option 19 and offsets the sequence number by a random number, per TCP flow. This makes BGP really unhappy when it is transiting the firewall. So, lets allow option 19 back through. To do this, you should configure the inspection of the BGP traffic and then configure a tcp-map that can be used when the ASA inspects the BGP TCP packets. Assign it all to a policy map and service policy and you're good.

the routers still aren't happy.

There are two ways to disable the randomization when the security appliance is in routed mode. The first way is accomplished via the static command.

static (inside,outside) 136.1.121.1 136.1.121.1 netmask 255.255.255.255 norandomseq

In transparent mode there is no NAT, so the norandomseq switch can't be used on the static command. Instead, the randomization needs to be shut off when the packet gets inspected. Returning to the class of traffic we configured earlier, we can disable the randomization for only our BGP traffic:

class BGP_TRAFFIC

set connection random-sequence-number disable

set connection advanced-options BGP_TCP_MAP

Now things should working and the neighbours should be UP "

Does this answer your question ? All the best. rate replies if found useful..

Raj

196
Views
0
Helpful
3
Replies
CreatePlease login to create content