Re: [OSL | CCIE_Security] BGP across ASA with neigbor of NATTed address

Tue, 15 Sep 2009 06:50:38 -0700 

Hi Kings,

The trouble is the translation. From http://www.ietf.org/rfc/rfc2385.txt:

Every segment sent on a TCP connection to be protected against spoofing will 
contain the 16-byte MD5 digest produced by applying the MD5 algorithm to these 
items in the following order:

       1. the TCP pseudo-header (in the order: source IP address, destination 
IP address, zero-padded protocol number, and segment length)
       2. the TCP header, excluding options, and assuming a checksum of zero
       3. the TCP segment data (if any)
       4. an independently-specified key or password, known to both TCPs and 
presumably connection-specific
Regards,

Waldemar Pera
"Murphy is out there, ready to make your life miserable"



From: Kingsley Charles 
Sent: Tuesday, September 15, 2009 10:37 AM
To: [email protected] 
Subject: [OSL | CCIE_Security] BGP across ASA with neigbor of NATTed address


Hi all

For having BGP across ASA, I have tried the following solution:



Peer A (10.20.30.40) -------------------------(10.20.30.43) inside ASA outside 
(172.16.3.3) --------------------------------(172.16.3.2) Peer B

Peer A

router bgp 2
neighbor 172.16.3.2

ASA

static (inside,outside) 172.16.3.4 10.20.30.30.40

access-list bgp extended permit tcp any any eq bgp
access-list bgp extended permit tcp any eq bgp any

class-map bgp
 match access-list bgp

policy-map global_policy
class bgp
 set connection random-sequence-number disable
 set connection advanced-options bgpmap

Peer B

router bgp 2
neighbor 172.16.3.4


In the ASA, I am translating the source IP of the BGP packet. In BGP, the IP 
address in the packet should match to the address configured in the neighbor 
list.
So in Peer the neigbor is NATTed address not the original IP address


BGP connection is established but if authentication is configured the MD5 
signature fails with hash mis-match (may be due to translation of the IP 
address)









With regards
Kings




--------------------------------------------------------------------------------


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to