Everyone,
I have tried to get BGP w/ auth up and running using 'norandomseq' on the static command to no avail. I continue to get invalid MD5 digest. It definitely works if I disable randomization under the policy map, but not doing it under static nat. Here is the configlet static (inside,outside) 10.2.2.1 10.2.2.1 netmask 255.255.255.255 norandomseq static (outside,inside) 192.1.24.4 192.1.24.4 netmask 255.255.255.255 norandomseq The BGP session is between 10.2.2.1 and 192.1.24.4 *Mar 1 01:17:50.119: %TCP-6-BADAUTH: Invalid MD5 digest from 192.1.24.4(31123) to 10.2.2.1(179) Has anyone else run into this? Thanks, Jamie Brogdon _____ From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, September 15, 2009 8:44 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] BPG across ASA Hi all One more clarification. In my setup, I have disabled nat-control using "no nat-control". Both the interfaces connected to the BGP peers are with securty-level 100. Even, if NAT is disabled on the ASA, the tcp port number is randomized and the following should be configured to disable it. "set connection random-sequence-number disable" Now, if I enable NAT control (nat-control), is the above command suffice or should I include "norandomseq" in the static cmd. I tried configuring static without "norandomseq" and I don't see any issues. It seems the policy map over-writes the NAT rule. With regards Kings On Tue, Sep 15, 2009 at 6:02 PM, Kingsley Charles <[email protected]> wrote: Hi all Thanks to all for your inputs. With regards Kings On Tue, Sep 15, 2009 at 5:36 PM, Pieter-Jan Nefkens <[email protected]> wrote: Hi, Check the following document: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example0918 6a008009487d.shtml If BGP authentication is used, the ASA must have the tcp-map enabled, because the MD5 hash is also over the tcp options in the header. So you must use a tcp-map option.. Pieter-Jan On 15 sep 2009, at 13:56, Kingsley Charles wrote: Hi all It's pretty straight forward and I am trying to have BGP across an ASA. I get this error: %TCP-6-BADAUTH: No MD5 digest from <remote addr> (53396) to <local addr> (179) I see this issue only when the BGP is crossing the ASA. What could be the reason? Even if ASA, modifies the packet, I should get %TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179 With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/ Think before you print.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
