Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
2
Replies

PIX NAT and BGP authentification clarification

Go to solution
michael.kopp
Level 1
Level 1

‎11-29-2004 12:40 AM - last edited on ‎02-21-2020 11:14 PM by Community Manager

Hi all,

I did some tests regarding PIX and passing BGP traffic through this box.

When I configure the PIX to do no NAT (NAT 0) config and configure a BGP session between two routers (one on inside and one on outside net) everything works ok.

When I configure BGP authentication, I have to add the "norandomseq" keyword to the NAT and STATIC commands cause BGP auth incorporated TCP header info for authentication. Thats OK.

But when I reconfigure the PIX to do real NAT between the inside and outside network and reconfigure my routers, the BGP session only comes up if the BGP authentication is turned off. If I enable BGP authentication , I got MD5 authentication errors on the Routers. (note "norandomseq" is turned on for NAT and STATIC statements)

Now my questions is BGP not supported for NAT sessions on PIX ? (for my tests it only worked for NAT 0 config, also all examples I could find always work with NAT 0 config)

I think the problem is that the TCP Pseudoheader changes at the NAT device and therefore it will never work, right ? Or is there any internal bgp fixup which should fix that ? I think this is almost impossible as this is only known with the plain bgp password , right ?

Regards

Michael

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7

‎11-29-2004 06:49 AM

Your reasoning is dead on. BGP authentication works like this: The sending BGP peer takes and MD5 hash of the TCP header before sending the packet and includes this hash in the TCP header as an option. The BGP receiver, receives the packet and also does an MD5 hash of the TCP header. He then compares his value to the value sent by the BGP sender. If they match, all is well. If they fail, the packet is discarded and you get the error messages you have been seeing.

Because NAT is going to modify the TCP source address, the TCP header is going to be modified which is going to yield a different MD5 hash for the receiver than what the sender orginally sent.

BGP authtenticatio between peers through a PIX is only supported in a Nat 0 or identity static with the norandomseq option enabled.

Make sense?

Scott

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scoclayton
Level 7
Level 7

‎11-29-2004 06:49 AM

Your reasoning is dead on. BGP authentication works like this: The sending BGP peer takes and MD5 hash of the TCP header before sending the packet and includes this hash in the TCP header as an option. The BGP receiver, receives the packet and also does an MD5 hash of the TCP header. He then compares his value to the value sent by the BGP sender. If they match, all is well. If they fail, the packet is discarded and you get the error messages you have been seeing.

Because NAT is going to modify the TCP source address, the TCP header is going to be modified which is going to yield a different MD5 hash for the receiver than what the sender orginally sent.

BGP authtenticatio between peers through a PIX is only supported in a Nat 0 or identity static with the norandomseq option enabled.

Make sense?

Scott

0 Helpful

Go to solution
michael.kopp
Level 1
Level 1
In response to scoclayton

‎11-29-2004 09:59 AM

Hi Scott,

thanks for the confirmation and explanation

Michael

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card