Yes, that is what I was trying to convey.
Having "nonrandonseq" in static nat doesn't solve the issue. With regards Kings On Tue, Sep 29, 2009 at 9:19 AM, Jamie Brogdon <[email protected]>wrote: > Everyone, > > > > I have tried to get BGP w/ auth up and running using ‘norandomseq’ on the > static command to no avail. I continue to get invalid MD5 digest. It > definitely works if I disable randomization under the policy map, but not > doing it under static nat. > > > > Here is the configlet > > * * > > *static (inside,outside) 10.2.2.1 10.2.2.1 netmask 255.255.255.255 > norandomseq * > > *static (outside,inside) 192.1.24.4 192.1.24.4 netmask 255.255.255.255 > norandomseq* > > * * > > *The BGP session is between 10.2.2.1 and 192.1.24.4* > > **Mar 1 01:17:50.119: %TCP-6-BADAUTH: Invalid MD5 digest from > 192.1.24.4(31123) to 10.2.2.1(179)* > > > > > > Has anyone else run into this? > > > > Thanks, > Jamie Brogdon > > > ------------------------------ > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, September 15, 2009 8:44 AM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] BPG across ASA > > > > Hi all > > > > One more clarification. > > > > In my setup, I have disabled nat-control using "no nat-control". Both the > interfaces connected to the BGP peers are with securty-level 100. > > > > Even, if NAT is disabled on the ASA, the tcp port number is randomized and > the following should be configured to disable it. > > > > "set connection random-sequence-number disable" > > > > > > Now, if I enable NAT control (nat-control), is the above command suffice or > should I include "norandomseq" in the static cmd. > > > > I tried configuring static without "norandomseq" and I don't see any > issues. > > > > It seems the policy map over-writes the NAT rule. > > > > > > > > With regards > > Kings > > On Tue, Sep 15, 2009 at 6:02 PM, Kingsley Charles < > [email protected]> wrote: > > Hi all > > > > Thanks to all for your inputs. > > > > > > With regards > > Kings > > On Tue, Sep 15, 2009 at 5:36 PM, Pieter-Jan Nefkens < > [email protected]> wrote: > > Hi, > > > > Check the following document: > > > http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml > > > > If BGP authentication is used, the ASA must have the tcp-map enabled, > because the MD5 hash is also over the tcp options in the header. So you must > use a tcp-map option.. > > > > Pieter-Jan > > > > On 15 sep 2009, at 13:56, Kingsley Charles wrote: > > > > Hi all > > > > It's pretty straight forward and I am trying to have BGP across an ASA. I > get this error: > > %TCP-6-BADAUTH: No MD5 digest from <remote addr> (53396) to <local addr> > (179) > > I see this issue only when the BGP is crossing the ASA. > > > > What could be the reason? > > > > Even if ASA, modifies the packet, I should get %TCP-6-BADAUTH: Invalid MD5 > digest from [peer's IP address]:11004 to [local router's IP address]:179 > > > > > > With regards > > Kings > > _______________________________________________ > > > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > > Think before you print. > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
