Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
5
Helpful
1
Replies

BGP MD5 W/ NAT ENABLED ON PIX

bcommerford
Level 1
Level 1

‎06-27-2004 07:10 PM - edited ‎02-20-2020 11:29 PM

Does anyone know if NATing a BGP peer's address on the PIX with MD5 enabled is achievable?

I know the 'norandomseq' tag on a static will work for a regular BGP implementation, however this did not work for a NAT implementation.

Cisco doc for BGP peer via firewall states that hash is calculated on TCP sequence number, although it appears to include the SA/DA from the IP header.

0 Helpful
1 Reply 1

scoclayton
Level 7
Level 7

‎06-28-2004 07:54 AM

Unfortunately, not possible at this time. BGP authentication authenticates the ip header (including the TCP checksum). When you change the source IP address via NAT, the TCP checksum is changed and the packet is no longer valid. The only choices for this type of design is to either "no-nat" the hosts (translate them back to their same address) or to not include the ip header in the TCP checksum, but I am not aware of any "knobs" planned for this in IOS.

Sorry but hope this helps confirm your thoughts.

Scott

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card