02-23-2007 08:23 PM - edited 03-11-2019 02:37 AM
hello all,
i have a problem with ebgp with md5 through pix7.1.
as you know, to pass bgp with md5 traffic for the pix6.3, i should configure a special configuraiton. it's norandom sequence number at the static nat configuraiton.
static (i,o) 1.1.1.1 1.1.1.1 norandomseq
thus, in the pix 6.3, thre is no issue for ebpg with md5 through pix.
but, after upgrading pix from 6.3 to 7.1, the bgp with md5 not work properly.
please let me know, how can i pass the ebgp with md5 traffic on the pix 7.2 code?
regards,
john.
02-23-2007 11:04 PM
hi john the problem with pix 7.0 code is that . what actually happens is when authentication is set with bgp . there is hash of the payload send along with the tcp segment. this is called the option 19 in tcp.
pix by default removes any tcp options set with it.
to get this thing resolved i am sure u would have heard of something called a tcp map. in the tcp map set the parameter for setting the option 19.
it will resolve ur problem for sure.
i am not sure abt the commands but i have done it before.
hope this helps.
regards
sebastan
02-24-2007 04:18 AM
BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options, the following tcp-map must be applied:
tcp-map BGP-MD5
tcp-options range 19 19 allow
class-map BGP-MD5-CLASSMAP
match port tcp eq 179
policy-map global_policy
class BGP-MD5-CLASSMAP
set connection advanced-options BGP-MD5
set connection random-sequence-number disable
Also note that randomization of TCP sequence numbers Must be disabled (you have already taken care of this using the "norandomseq" option in static command).
This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF an apply it via the policy-map. In addition, the addresses cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header, therefore none of it can be changed.
Hope this resolved the issue.
Regards,
Vibhor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide