Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
15
Helpful
4
Replies

ASA block BGP traffic

eigrpy
Level 4
Level 4

‎10-26-2015 11:12 AM - edited ‎03-10-2019 11:11 PM

Hi When traffic of BGP go through ASA, we need to have special commands for the ASA. We need to Disable TCP MD5 option rewriting. But in real example, its command is to allow tcp-opinion 19.  Anyone can explain this for me ? Thank you

1 person had this problem
Labels:
0 Helpful
4 Replies 4

jan.nielsen
Level 7
Level 7

‎10-26-2015 12:35 PM

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/6500-bgp-pix.html#md5auth

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-27-2015 05:53 AM

BGP connection is established on port 179. TCP 179 must be allowed on both sides, but it is not enough.

For security reason, BGP peers authenticate each other by using MD5 authentication.  Option 19 can be used to enhance security while MD5 authentication is used This option with MDS acts as certificate for BGP segments. This prevent spoofing. It reduces probability of establishing connections with a fake neighbor.

 

Before applying option 19, everything is good; however, ASA rewrites the packets with this option even though port 179 is allowed. so we need to tell ASA to allow option 19 as well. Configuration looks like this.

access-list bgp extended permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
access-list bgp extended permit tcp host 2.2.2.2 host 1.1.1.1 eq bgp

 

tcp-map ALLOW-OPTION19
   tcp-options range 19 19 allow

class-map BGP-CLASS
     match access-list bgp-traffic

policy-map global_policy
class BGP
  set connection random-sequence-number disable
  set connection advanced-options ALLOW-OPTION19

 

Masoud

eigrpy
Level 4
Level 4
In response to Masoud Pourshabanian

‎10-27-2015 05:53 AM

Thank you so much for your reply. 

I agree with your explanation. But someone says "it needs to Disable TCP MD5 option rewriting" Do you think "Disable TCP MD5 option rewriting" is the same meaning with "allow option 19" ?

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to eigrpy

‎10-27-2015 07:04 AM

PIX/ASA version 7.x and later introduces an additional challenge when you try to establish a BGP peering session with MD5 authentication. By default, PIX/ASA version 7.x and later rewrites any TCP MD5 option included on a TCP datagram that goes through the device and replaces the option kind, size and value with NOP option bytes.

 

it has potential of leaking information of your network setup if options in IP and TCP are set so firewals do not like options and treat them differently.

 

"IP OPTIONS are considered a security risk as they have the potential of leaking information about the internet network setup and, by default, all packets with IP OPTIONS are dropped by firewalls"

Customers Also Viewed These Support Documents