Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

BGP through pix

Hi All,

I will be running eBGP through my pix to routers on each side to the loopbacks of these routers. what must i enter in my pix config to allow these two routers to exchange via bgp with their loopbacks? I have tried just allowing the port, but this does not seem to work. can someone give me an example config?

TIA,

R

4 REPLIES
Silver

Re: BGP through pix

BGP runs on TCP 179 so as long as you have that allowed and the addresses are reachable (proper static statements) you should be ok. Here is a link that will help you out:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

New Member

Re: BGP through pix

I think I had the static routes needed confused. this example helped out a lot.

One thing I am not sure about on the site you gave is the pix config that states the following:

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

!--- No NAT translation, to allow Router11 on the inside to initiate a BGP session

!--- to Router12 on the outside of PIX.

static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255

!--- Static NAT translation, to allow Router12 on the outside to initiate a BGP session

!--- to Router11 on the inside of PIX.

Do I need to add the static nat translation as it states as I do run nat on the pix in between these routers.

Cisco Employee

Re: BGP through pix

Just remember to use "norandomseq" keyword on the static statement on the PIX if you are going to use MD5 authentication on the BGP session.

Please refer to the following document for more information:

http://www.cisco.com/en/US/partner/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#twenty-five

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Silver

Re: BGP through pix

The static nat translation is required in order for a router on the less secure side of the PIX initiate a TCP session with a router on the more secure side. Also keep in mind the suggestion by Harold on use of the norandomseq parameter with the static command.

177
Views
4
Helpful
4
Replies
CreatePlease to create content