Hi All,
Please go through the solution
BGP authentication across firewall : -
Allow BGP (It use Port no 19):
tcp-map BGP_MD5
tcp-option range 19 19 allow
Permitting BGP traffic:
access-list BGP_MD5 permit tcp any any eq bgp
access-list BGP_MD5 permit tcp any eq bgp any
Class map for BGP traffic:
class-map BGP_MD5
match access-list BGP_MD5
Policy map :
policy-map global_policy
class BGP_MD5
set connection advence-option BGP_MD5
set connection random-sequence-number disable
Service policy :
service-policy global_policy global
I think the above solution will do.
Regards,
Sandeep Jindal
--- On Tue, 29/9/09, [email protected]
<[email protected]> wrote:
From: [email protected]
<[email protected]>
Subject: CCIE_Security Digest, Vol 39, Issue 119
To: [email protected]
Date: Tuesday, 29 September, 2009, 7:53 PM
Send CCIE_Security mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://onlinestudylist.com/mailman/listinfo/ccie_security
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CCIE_Security digest..."
Today's Topics:
1. Re: BPG across ASA (Stuart Hare)
2. Traceroute across ASA (Kingsley Charles)
----------------------------------------------------------------------
Message: 1
Date: Tue, 29 Sep 2009 09:11:20 +0100
From: Stuart Hare <[email protected]>
Subject: Re: [OSL | CCIE_Security] BPG across ASA
To: Kingsley Charles <[email protected]>
Cc: [email protected]
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="windows-1252"
I have just labbed this up using 8.04 ASA Code and you are correct that the
static keyword norandomseq no longer works as of version 8 by the looks.
This was definitley a workable solution I used many times in ver 7.x code,
but as i now tend to disable it in the policy by default hadnt noticed.
This looks like a bug though, but I cant find any reference to it in the
release notes for 8.x code.
Also the weird thing was the ASA was still randomly removing option 19, even
after the policy was set to allow it.
*Mar 1 10:28:43.170: %TCP-6-BADAUTH: Invalid MD5 digest from
192.1.2.1(55573) to 10.1.1.1(179)
*Mar 1 10:28:43.755: %TCP-6-BADAUTH: No MD5 digest from 192.1.2.1(179) to
10.1.1.1(24845)
*Mar 1 10:28:51.171: %TCP-6-BADAUTH: Invalid MD5 digest from
192.1.2.1(55573) to 10.1.1.1(179)
Something to be aware of I suppose so thanks for the heads Kings.
Stu
2009/9/29 Kingsley Charles <[email protected]>
> Yes, that is what I was trying to convey.
>
>
> Having "nonrandonseq" in static nat doesn't solve the issue.
>
> With regards
> Kings
>
> On Tue, Sep 29, 2009 at 9:19 AM, Jamie Brogdon <
> [email protected]> wrote:
>
>> Everyone,
>>
>>
>>
>> I have tried to get BGP w/ auth up and running using ?norandomseq? on the
>> static command to no avail. I continue to get invalid MD5 digest. It
>> definitely works if I disable randomization under the policy map, but not
>> doing it under static nat.
>>
>>
>>
>> Here is the configlet
>>
>> * *
>>
>> *static (inside,outside) 10.2.2.1 10.2.2.1 netmask 255.255.255.255
>> norandomseq *
>>
>> *static (outside,inside) 192.1.24.4 192.1.24.4 netmask 255.255.255.255
>> norandomseq*
>>
>> * *
>>
>> *The BGP session is between 10.2.2.1 and 192.1.24.4*
>>
>> **Mar 1 01:17:50.119: %TCP-6-BADAUTH: Invalid MD5 digest from
>> 192.1.24.4(31123) to 10.2.2.1(179)*
>>
>>
>>
>>
>>
>> Has anyone else run into this?
>>
>>
>>
>> Thanks,
>> Jamie Brogdon
>>
>>
>> ------------------------------
>>
>> *From:* [email protected] [mailto:
>> [email protected]] *On Behalf Of *Kingsley
>> Charles
>> *Sent:* Tuesday, September 15, 2009 8:44 AM
>> *To:* [email protected]
>> *Subject:* Re: [OSL | CCIE_Security] BPG across ASA
>>
>>
>>
>> Hi all
>>
>>
>>
>> One more clarification.
>>
>>
>>
>> In my setup, I have disabled nat-control using "no nat-control". Both the
>> interfaces connected to the BGP peers are with securty-level 100.
>>
>>
>>
>> Even, if NAT is disabled on the ASA, the tcp port number is randomized and
>> the following should be configured to disable it.
>>
>>
>>
>> "set connection random-sequence-number disable"
>>
>>
>>
>>
>>
>> Now, if I enable NAT control (nat-control), is the above command
>> suffice or should I include "norandomseq" in the static cmd.
>>
>>
>>
>> I tried configuring static without "norandomseq" and I don't see any
>> issues.
>>
>>
>>
>> It seems the policy map over-writes the NAT rule.
>>
>>
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>> On Tue, Sep 15, 2009 at 6:02 PM, Kingsley Charles <
>> [email protected]> wrote:
>>
>> Hi all
>>
>>
>>
>> Thanks to all for your inputs.
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>> On Tue, Sep 15, 2009 at 5:36 PM, Pieter-Jan Nefkens <
>> [email protected]> wrote:
>>
>> Hi,
>>
>>
>>
>> Check the following document:
>>
>>
>> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml
>>
>>
>>
>> If BGP authentication is used, the ASA must have the tcp-map enabled,
>> because the MD5 hash is also over the tcp options in the header. So you must
>> use a tcp-map option..
>>
>>
>>
>> Pieter-Jan
>>
>>
>>
>> On 15 sep 2009, at 13:56, Kingsley Charles wrote:
>>
>>
>>
>> Hi all
>>
>>
>>
>> It's pretty straight forward and I am trying to have BGP across an ASA. I
>> get this error:
>>
>> %TCP-6-BADAUTH: No MD5 digest from <remote addr> (53396) to <local addr>
>> (179)
>>
>> I see this issue only when the BGP is crossing the ASA.
>>
>>
>>
>> What could be the reason?
>>
>>
>>
>> Even if ASA, modifies the packet, I should get %TCP-6-BADAUTH: Invalid
>> MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>> _______________________________________________
>>
>>
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>>
>> ---
>>
>> Nefkens Advies
>>
>> Enk 26
>>
>> 4214 DD Vuren
>>
>> The Netherlands
>>
>>
>>
>> Tel: +31 183 634730
>>
>> Fax: +31 183 690113
>>
>> Cell: +31 654 323221
>>
>> Email: [email protected]
>>
>> Web: http://www.nefkensadvies.nl/
>>
>>
>> Think before you print.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20090929/0fc2d514/attachment-0001.htm
------------------------------
Message: 2
Date: Tue, 29 Sep 2009 19:52:58 +0530
From: Kingsley Charles <[email protected]>
Subject: [OSL | CCIE_Security] Traceroute across ASA
To: [email protected]
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="iso-8859-1"
Hi all
I am trying two solutions for getting "traceroute" across ASA to work. First
solution is working for me but the second solution is not working.
Am I missing something?
*Solution 1*
Allowing the "time-exceeded" and "unreachable" to outside interface.
access-list mine extended permit icmpacl any any time-exceeded
access-list mine extended permit icmpacl any any unreachable
access-group icmpany in interface outside
*Solution 2*
**
I am not allowing the "time-exceeded" and "unreachable" to outside
interface. Rather I am relying on inspect icmp and icmp error.
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
With regards
Kings
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20090929/115ef110/attachment.htm
End of CCIE_Security Digest, Vol 39, Issue 119
**********************************************
Add whatever you love to the Yahoo! India homepage. Try now!
http://in.yahoo.com/trynew_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
