Kings You are correct you cant use NAT when authenticating BGP, the IP address needs to be preserved end to end to ensure that integrity (hash) of the pkt is maintained.
So make sure you use static identity nat if needed. Stu 2009/9/15 Kingsley Charles <[email protected]> > I am able to establish both IBGP and EBGP (with ebgp-multihop 2) behind > NAT. It's just a TCP connection right, so it should work and did work me. > > But as I configured the authentication, the BGP connection was teared down > due to MD5 mis-match > > And it must be due to changing the source address by NAT as Waldemar > mentioned. > > With regards > Kings > > On Tue, Sep 15, 2009 at 8:09 PM, Basem Hanna <[email protected] > > wrote: > >> >> >> You could try to add the norandomseq at the end of the static. >> >> >> >> Also you can add (I think you might have this already bgpmap?) >> >> tcp-map BGP >> >> tcp-options range 19 19 allow >> >> >> >> set connection advanced-options BGP >> >> >> >> >> >> But to be honest I have never been able to get BGP to work if it’s behind >> a NAT. Actually, I believe I read somewhere that it doesn’t work if it’s >> behind a NAT. >> >> >> >> >> >> -B >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Tuesday, September 15, 2009 9:38 AM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] BGP across ASA with neigbor of NATTed >> address >> >> >> >> Hi all >> >> >> >> For having BGP across ASA, I have tried the following solution: >> >> >> >> >> >> >> >> *Peer A* (10.20.30.40) -------------------------(10.20.30.43) inside *ASA >> * outside (172.16.3.3) --------------------------------(172.16.3.2) *Peer >> B* >> >> >> >> *Peer A* >> >> >> >> router bgp 2 >> >> neighbor 172.16.3.2 >> >> >> >> *ASA* >> >> >> >> static (inside,outside) 172.16.3.4 10.20.30.30.40 >> >> >> >> access-list bgp extended permit tcp any any eq bgp >> access-list bgp extended permit tcp any eq bgp any >> >> >> >> class-map bgp >> match access-list bgp >> >> >> >> policy-map global_policy >> >> class bgp >> set connection random-sequence-number disable >> set connection advanced-options bgpmap >> >> >> >> *Peer B* >> >> >> >> router bgp 2 >> >> neighbor 172.16.3.4 >> >> >> >> >> >> In the ASA, I am translating the source IP of the BGP packet. In BGP, the >> IP address in the packet should match to the address configured in the >> neighbor list. >> >> So in Peer the neigbor is NATTed address not the original IP address >> >> >> >> >> >> BGP connection is established but if authentication is configured the MD5 >> signature fails with hash mis-match (may be due to translation of the IP >> address) >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> >> >> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
