You could try to add the norandomseq at the end of the static. Also you can add (I think you might have this already bgpmap?)
tcp-map BGP tcp-options range 19 19 allow set connection advanced-options BGP But to be honest I have never been able to get BGP to work if it's behind a NAT. Actually, I believe I read somewhere that it doesn't work if it's behind a NAT. -B From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, September 15, 2009 9:38 AM To: [email protected] Subject: [OSL | CCIE_Security] BGP across ASA with neigbor of NATTed address Hi all For having BGP across ASA, I have tried the following solution: Peer A (10.20.30.40) -------------------------(10.20.30.43) inside ASA outside (172.16.3.3) --------------------------------(172.16.3.2) Peer B Peer A router bgp 2 neighbor 172.16.3.2 ASA static (inside,outside) 172.16.3.4 10.20.30.30.40 access-list bgp extended permit tcp any any eq bgp access-list bgp extended permit tcp any eq bgp any class-map bgp match access-list bgp policy-map global_policy class bgp set connection random-sequence-number disable set connection advanced-options bgpmap Peer B router bgp 2 neighbor 172.16.3.4 In the ASA, I am translating the source IP of the BGP packet. In BGP, the IP address in the packet should match to the address configured in the neighbor list. So in Peer the neigbor is NATTed address not the original IP address BGP connection is established but if authentication is configured the MD5 signature fails with hash mis-match (may be due to translation of the IP address) With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
