BGP MD5 Authenticated Peers through Firewall

colin.lynch · ‎01-10-2006

HI all

I am just implementing a solution which requires BGP peers with a PIX firewall between them. This solution works fine when I do not use a MD5 password on the peers but when I put password authentication on the peers the BGP neighbours no longer establish and when I degug it I see:

%TCP-6-BADAUTH: No MD5 digest from 172.16.5.1(12689) to 172.16.9.2(179)

I have found an document on CCO which indicates this is an issue with seq number randomisation which the PIX does by default and to add the "norandomseq" keyword to the end of my static statement which I have done but this has not cured my issue.

I am using ver7.0(4) on the PIX and 12.2(18)SXE on the 6513 which are the BGP peers.

Any Ideas?

Thanks in advance

Colin

Peer 1 config extract

router bgp 65526

no synchronization

bgp cluster-id 999

bgp log-neighbor-changes

network 172.16.9.0 mask 255.255.255.0

neighbor 172.16.5.1 remote-as 65526

neighbor 172.16.5.1 next-hop-self

neighbor 172.16.5.1 password xxxx

Firewall config extract (access-list is allowing all traffic)

static (inside,dmz) 172.16.9.2 172.16.9.2 netmask 255.255.255.255 norandomseq

Peer 2 config extract

router bgp 65526

no synchronization

bgp log-neighbor-changes

network 172.16.5.0 mask 255.255.255.0

neighbor 172.16.9.2 remote-as 65526

neighbor 172.16.9.2 password 7 045802150C2E

neighbor 172.16.9.2 next-hop-self

sachinraja · ‎01-10-2006

Hello Colin

I hope you have allowed BGP traffic to flow from outside to inside....

access-list outside permit tcp host 172.16.5.1 host 172.16.9.2 eq bgp

Where you referring to this doc ??

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml#md5auth

This is a good doc to refer

Regards

Raj