I have just labbed this up using 8.04 ASA Code and you are correct that the static keyword norandomseq no longer works as of version 8 by the looks. This was definitley a workable solution I used many times in ver 7.x code, but as i now tend to disable it in the policy by default hadnt noticed.
This looks like a bug though, but I cant find any reference to it in the release notes for 8.x code. Also the weird thing was the ASA was still randomly removing option 19, even after the policy was set to allow it. *Mar 1 10:28:43.170: %TCP-6-BADAUTH: Invalid MD5 digest from 192.1.2.1(55573) to 10.1.1.1(179) *Mar 1 10:28:43.755: %TCP-6-BADAUTH: No MD5 digest from 192.1.2.1(179) to 10.1.1.1(24845) *Mar 1 10:28:51.171: %TCP-6-BADAUTH: Invalid MD5 digest from 192.1.2.1(55573) to 10.1.1.1(179) Something to be aware of I suppose so thanks for the heads Kings. Stu 2009/9/29 Kingsley Charles <[email protected]> > Yes, that is what I was trying to convey. > > > Having "nonrandonseq" in static nat doesn't solve the issue. > > With regards > Kings > > On Tue, Sep 29, 2009 at 9:19 AM, Jamie Brogdon < > [email protected]> wrote: > >> Everyone, >> >> >> >> I have tried to get BGP w/ auth up and running using ‘norandomseq’ on the >> static command to no avail. I continue to get invalid MD5 digest. It >> definitely works if I disable randomization under the policy map, but not >> doing it under static nat. >> >> >> >> Here is the configlet >> >> * * >> >> *static (inside,outside) 10.2.2.1 10.2.2.1 netmask 255.255.255.255 >> norandomseq * >> >> *static (outside,inside) 192.1.24.4 192.1.24.4 netmask 255.255.255.255 >> norandomseq* >> >> * * >> >> *The BGP session is between 10.2.2.1 and 192.1.24.4* >> >> **Mar 1 01:17:50.119: %TCP-6-BADAUTH: Invalid MD5 digest from >> 192.1.24.4(31123) to 10.2.2.1(179)* >> >> >> >> >> >> Has anyone else run into this? >> >> >> >> Thanks, >> Jamie Brogdon >> >> >> ------------------------------ >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Tuesday, September 15, 2009 8:44 AM >> *To:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] BPG across ASA >> >> >> >> Hi all >> >> >> >> One more clarification. >> >> >> >> In my setup, I have disabled nat-control using "no nat-control". Both the >> interfaces connected to the BGP peers are with securty-level 100. >> >> >> >> Even, if NAT is disabled on the ASA, the tcp port number is randomized and >> the following should be configured to disable it. >> >> >> >> "set connection random-sequence-number disable" >> >> >> >> >> >> Now, if I enable NAT control (nat-control), is the above command >> suffice or should I include "norandomseq" in the static cmd. >> >> >> >> I tried configuring static without "norandomseq" and I don't see any >> issues. >> >> >> >> It seems the policy map over-writes the NAT rule. >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> On Tue, Sep 15, 2009 at 6:02 PM, Kingsley Charles < >> [email protected]> wrote: >> >> Hi all >> >> >> >> Thanks to all for your inputs. >> >> >> >> >> >> With regards >> >> Kings >> >> On Tue, Sep 15, 2009 at 5:36 PM, Pieter-Jan Nefkens < >> [email protected]> wrote: >> >> Hi, >> >> >> >> Check the following document: >> >> >> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml >> >> >> >> If BGP authentication is used, the ASA must have the tcp-map enabled, >> because the MD5 hash is also over the tcp options in the header. So you must >> use a tcp-map option.. >> >> >> >> Pieter-Jan >> >> >> >> On 15 sep 2009, at 13:56, Kingsley Charles wrote: >> >> >> >> Hi all >> >> >> >> It's pretty straight forward and I am trying to have BGP across an ASA. I >> get this error: >> >> %TCP-6-BADAUTH: No MD5 digest from <remote addr> (53396) to <local addr> >> (179) >> >> I see this issue only when the BGP is crossing the ASA. >> >> >> >> What could be the reason? >> >> >> >> Even if ASA, modifies the packet, I should get %TCP-6-BADAUTH: Invalid >> MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179 >> >> >> >> >> >> With regards >> >> Kings >> >> _______________________________________________ >> >> >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> --- >> >> Nefkens Advies >> >> Enk 26 >> >> 4214 DD Vuren >> >> The Netherlands >> >> >> >> Tel: +31 183 634730 >> >> Fax: +31 183 690113 >> >> Cell: +31 654 323221 >> >> Email: [email protected] >> >> Web: http://www.nefkensadvies.nl/ >> >> >> Think before you print. >> >> >> >> >> >> >> >> >> >> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
