01-04-2009 06:13 PM - edited 03-11-2019 07:32 AM
I do not have a Pix at the moment to test to I'll ask this question:
R1---(i)Pix(o)---R2
R1 is doing eBGP with MD5 authentication with R2. Pix is in routed mode.
With Pix code 6.3.x, I have to do this:
static (i,o) r1 r1 netmask 255.255.255.255 norandom
Question:
With version 7.x or 8.x, let say the only thing I have on the Pix
is "no nat-control". Do I still need to modify the inspection
so that eBGP with MD5 authentication to work across the Pix? In
version 7.x and 8.x code, by default, does the Pix/ASA automatically
randomize the TCP sequence between interfaces?
01-05-2009 12:30 PM
Hello David
Consider BGP as any other TCP connection.. Refer to the following URL.. might be of good help to you:
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml#asa
Let us know..
Raj
01-06-2009 06:46 AM
The document is not clear on what I asked.
As you can see in the example, it has
static (i,o) x.x.x.x x.x.x.x /32 in there.
My question has to do with "no nat-control"
and NO static, do you still need policy map
for eBGP with MD5 authentication
01-06-2009 08:55 AM
You will still have to configure policymap, for md5 authentication, starting from 7.x.. with 6.3, it was allowed explicitely, but not from 7.x.. Interesting material that I saw online:
"When BGP is configured with authentication, two things happen. First, an MD5 hash is computed including the password and the TCP sequence number of the packet, among other things. Second, that hash is attached to the packet via TCP option 19.
By default, a security appliance running 7.x clears option 19 and offsets the sequence number by a random number, per TCP flow. This makes BGP really unhappy when it is transiting the firewall. So, lets allow option 19 back through. To do this, you should configure the inspection of the BGP traffic and then configure a tcp-map that can be used when the ASA inspects the BGP TCP packets. Assign it all to a policy map and service policy and you're good.
the routers still aren't happy.
There are two ways to disable the randomization when the security appliance is in routed mode. The first way is accomplished via the static command.
static (inside,outside) 136.1.121.1 136.1.121.1 netmask 255.255.255.255 norandomseq
In transparent mode there is no NAT, so the norandomseq switch can't be used on the static command. Instead, the randomization needs to be shut off when the packet gets inspected. Returning to the class of traffic we configured earlier, we can disable the randomization for only our BGP traffic:
class BGP_TRAFFIC
set connection random-sequence-number disable
set connection advanced-options BGP_TCP_MAP
Now things should working and the neighbours should be UP "
Does this answer your question ? All the best. rate replies if found useful..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide