ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen · ‎12-27-2023

Hej
I am testing what traffic to allow and block directly with the block. I have the below configuration that should in theory block all traffic to device from a neighbor including BGP. But regardless the BGP session stays up .

I am wondering what I am missing

access-list DENY-ALL extended deny ip any any 
access-list DENY-ALL extended deny tcp any any 

access-group DENY-ALL in interface SD-WAN-1 control-plane
access-group DENY-ALL in interface SD-WAN-1

interface Ethernet1/10.6
 vlan 6
 nameif SD-WAN-1
 security-level 0
 zone-member SD-WAN-1
 ip address 172.16.6.1 255.255.255.0 standby 172.16.6.2 

router bgp 8989
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 172.16.6.3 remote-as 666
  neighbor 172.16.6.3 activate
  no auto-summary
  no synchronization

# show bgp summary 
BGP router identifier 172.16.66.1, local AS number 8989
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.6.3      4          666 236     195            3    0    0 03:33:36  0       
172.16.7.3      4          666 237     195            3    0    0 03:33:36  0   

################################################################
################################################################
# show bgp neighbors 172.16.6.3

BGP neighbor is 172.16.6.3,  context single_vf,  remote AS 666, external link
  BGP version 4, remote router ID 172.16.6.3
  BGP state = Established, up for 03:34:08
  Last read 00:00:10, last write 00:00:51, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability: 
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
    
                   Sent       Rcvd
    Opens:         1          1         
    Notifications: 0          0         
    Updates:       1          1         
    Keepalives:    193        235       
    Route Refresh: 0          0         
    Total:         195        237       
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session: 172.16.6.3
  BGP table version 3, neighbor version 3/0
  Output queue size : 0
  Index 3
  3 update-group member
                           Sent       Rcvd
  Prefix activity:         ----       ----
    Prefixes Current:      2          0         
    Prefixes Total:        4          0         
    Implicit Withdraw:     2          0         
    Explicit Withdraw:     0          0         
    Used as bestpath:      n/a        0         
    Used as multipath:     n/a        0         

                                Outbound    Inbound
  Local Policy Denied Prefixes: --------    -------
    Total:                       0          0         
  Number of NLRIs in the update sent: max 2, min 0

  Address tracking is enabled, the RIB does have a route to 172.16.6.3
  Connections established 5; dropped 4
  Last reset 03:34:09, due to User reset of session 1
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled

MHM Cisco World · ‎12-27-2023

firepower# show conn long

can you share this,
the ACL will not work if there is already Conn in FPR
so if there is Conn then force the Peer to re-establish the BGP and check again
MHM

oscardenizjensen · ‎12-27-2023

fw01-tgl-cph(config)# show conn all long
13 in use, 26 most used

TCP SD-WAN-1: 172.16.6.3/179 (172.16.6.3/179) NP Identity Ifc: 172.16.6.1/10719 (172.16.6.1/10719), flags UO , idle 21s, uptime 1h44m, timeout 1h0m, bytes 1974
Initiator: 172.16.6.1, Responder: 172.16.6.3

oscardenizjensen · ‎12-27-2023

I have cleared bgp sessions

clear conn protocol tcp port 30-65535 all

I saw state went to Idle, but then it established again.

I have added the interface to access-group on "out" direction as well since the ASA itself seems to be the initiator for the BGP

access-group DENY-ALL out interface SD-WAN-1

fw01-tgl-cph(config)# show conn all long protocol tcp address 172.16.6.3
13 in use, 26 most used

TCP SD-WAN-1: 172.16.6.3/179 (172.16.6.3/179) NP Identity Ifc: 172.16.6.1/30526 (172.16.6.1/30526), flags UO , idle 8s, uptime 5m29s, timeout 1h0m, bytes 283
Initiator: 172.16.6.1, Responder: 172.16.6.3

MHM Cisco World · ‎12-27-2023

Yes if there is Conn' and in your case the ASA initiate the traffic so it builds conn so the Inbound ACL override by Conn and not work.

Then you can use Outbound or disable bgp.

MHM

oscardenizjensen · ‎12-27-2023

I have configured ASA to be passive for bgp so other side is the initiator for BGP. And I can see it from the connection now.

TCP SD-WAN-1: 172.16.6.3/14740 (172.16.6.3/14740) NP Identity Ifc: 172.16.6.1/179 (172.16.6.1/179), flags UOB , idle 8s, uptime 1h1m, timeout 1h0m, bytes 1233
Initiator: 172.16.6.3, Responder: 172.16.6.1

But I still get BGP established even after clearing the conn. I can see BGP goes Idle and establishes later

My purpose is not to stop bgp, but to understand the behaviour of ASA in general.

MHM Cisco World · ‎12-27-2023

How you config it as bgp passive' I see asa is initiator not responder.

MHM

oscardenizjensen · ‎12-27-2023

172.16.6.3 = Remote device
172.16.6.1 = ASA

router bgp 8989
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 172.16.6.3 remote-as 666
neighbor 172.16.6.3 transport connection-mode passive

MHM Cisco World · ‎12-27-2023

neighbor 172.16.6.3 transport connection-mode passive

All config is correct regarding bgp but still one thing' I check fastly and I dont get clear idea.

The zone with control plane' you config vlan6 with zone and security level 0.

The zone here in asa is different than zone in ftd.

Router have security zone

Asa (or firepower with asa image) have secuirty and zone (zone meanly for traffic not for security)

Ftd (firepower with ftd image) use security zone

So I remember you last post' I think you merge both zone and security in same interface and that explain this behavior.

Can you remove zone from vlan and re connect the bgp and check the control plane secuirty acl.

MHM

oscardenizjensen · ‎12-27-2023

I have removed zone and still same result. So I am really confused right now.

access-list DENY-ALL extended deny ip any any 
access-list DENY-ALL extended deny tcp any any 

access-group DENY-ALL in interface SD-WAN-1 control-plane
access-group DENY-ALL in interface SD-WAN-1
access-group DENY-ALL out interface SD-WAN-1

interface Ethernet1/10.6
vlan 6
nameif SD-WAN-1
security-level 0
ip address 172.16.6.1 255.255.255.0 standby 172.16.6.2

clear conn protocol tcp all address 172.16.6.3
1 connection(s) deleted.


fw01-tgl-cph(config)# show bgp summary 
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.6.3      4          666 0       0              1    0    0 00:00:09  Idle
172.16.7.3      4          666 163     136            3    0    0 02:26:00  0  

After roughly 3 min connection establishes again
# show bgp summary 
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.6.3      4          666 0       0              1    0    0 00:02:54  Idle
172.16.7.3      4          666 166     138            3    0    0 02:28:45  0    

fw01-tgl-cph(config)# show bgp summary 
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.6.3      4          666 4       3              3    0    0 00:00:22  0       
172.16.7.3      4          666 166     138            3    0    0 02:29:08  0  

fw01-tgl-cph(config)# show conn protocol tcp all address 172.16.6.3 long 
TCP SD-WAN-1: 172.16.6.3/55225 (172.16.6.3/55225) NP Identity Ifc: 172.16.6.1/179 (172.16.6.1/179), flags UOB , idle 18s, uptime 2m2s, timeout 1h0m, bytes 207
  Initiator: 172.16.6.3, Responder: 172.16.6.1

MHM Cisco World · ‎12-27-2023

ciscoasa# show access-list DENY-ALL

Can you share this

oscardenizjensen · ‎12-27-2023

# show access-list DENY-ALL
access-list DENY-ALL; 2 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any (hitcnt=55) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any (hitcnt=0) 0xba274680

MHM Cisco World · ‎12-27-2023

There is (hitcnt=55) so the acl is work' clear bgp and check hitcnt.

And also do you receive any prefix via bgp ?

MHM

oscardenizjensen · ‎12-27-2023

I have reset conn and cleared bgp. Session still establishes

# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
access-list DENY-ALL; 2 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any (hitcnt=55) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any (hitcnt=0) 0xba274680

yes I do receive route from Peer with Deny ACL

# show route bgp

B 192.168.0.0 255.255.255.0 [20/0] via 172.16.6.3, 00:00:31

MHM Cisco World · ‎12-28-2023

From yesterday I think about this issue

Now let check if it bug or not'

You deny all and there is no conn for icmp try ping from bgp peer and see if ping is success

Try telent and see if it success or not

Do that and each time monitor the acl hitcnt

Also do you use asa 9.18 or later ver.?

MHM