Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 39, Issue 119

[Nabil Omar]

Dear All , 

Just wanted to add a comment :



BGP is using TCP port 179 .

In the TCP-MAP you are allowing Options 19 .

As we know the TCP header consist of some extensions (options) that are added 
by some applications .

http://www.iana.org/assignments/tcp-parameters/



So BGP use one of those options (option 19 ) for Authentication , So
when you enable BGP authentication  it uses this field and put in it
the MD5 hash value , By default packets with that option is blocked by
the ASA , so we use the TCP-MAP to allow it .

Best Regards
Nabil

Date: Tue, 29 Sep 2009 21:30:11 -0700
From: sandy_jin...@yahoo.com
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 39, Issue 119

Hi All,
 
Please go through the solution

 
BGP authentication across firewall : - 

Allow BGP (It use Port no 19):

tcp-map BGP_MD5
tcp-option range 19 19 allow

Permitting BGP traffic:
 
access-list BGP_MD5 permit tcp any any eq bgp
access-list BGP_MD5 permit tcp any eq bgp any

Class map for BGP traffic:

class-map BGP_MD5
match access-list BGP_MD5

Policy map :

policy-map global_policy
class BGP_MD5
set connection advence-option BGP_MD5
set connection random-sequence-number disable

Service policy : 

service-policy global_policy global
 
 
I think the above solution will do.
 
Regards,
Sandeep Jindal
--- On Tue, 29/9/09, ccie_security-requ...@onlinestudylist.com 
<ccie_security-requ...@onlinestudylist.com> wrote:


From: ccie_security-requ...@onlinestudylist.com 
<ccie_security-requ...@onlinestudylist.com>
Subject: CCIE_Security Digest, Vol 39, Issue 119
To: ccie_security@onlinestudylist.com
Date: Tuesday, 29 September, 2009, 7:53 PM


Send CCIE_Security mailing list submissions to
    ccie_security@onlinestudylist.com

To subscribe or unsubscribe via the World Wide Web, visit
    http://onlinestudylist.com/mailman/listinfo/ccie_security
or, via email, send a message with subject or body 'help' to
    ccie_security-requ...@onlinestudylist.com

You can reach the person managing the list at
    ccie_security-ow...@onlinestudylist.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CCIE_Security digest..."


Today's Topics:

   1. Re: BPG across ASA (Stuart Hare)
   2. Traceroute across ASA (Kingsley Charles)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 Sep 2009 09:11:20 +0100
From: Stuart Hare <stuart.h...@googlemail.com>
Subject: Re: [OSL | CCIE_Security] BPG across ASA
To: Kingsley Charles <kingsley.char...@gmail.com>
Cc: ccie_security@onlinestudylist.com
Message-ID:
    <bfe3a3180909290111l6388cce5y5802141603b3c...@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

I have just labbed this up using 8.04 ASA Code and you are correct that the
static keyword norandomseq no longer works as of version 8 by the looks.
This was definitley a workable solution I used many times in ver 7.x code,
but as i now tend to disable it in the policy by default hadnt noticed.

This looks like a bug though, but I cant find any reference to it in the
release notes for 8.x code.

Also the
 weird thing was the ASA was still randomly removing option 19, even
after the policy was set to allow it.

*Mar  1 10:28:43.170: %TCP-6-BADAUTH: Invalid MD5 digest from
192.1.2.1(55573) to 10.1.1.1(179)
*Mar  1 10:28:43.755: %TCP-6-BADAUTH: No MD5 digest from 192.1.2.1(179) to
10.1.1.1(24845)
*Mar  1 10:28:51.171: %TCP-6-BADAUTH: Invalid MD5 digest from
192.1.2.1(55573) to 10.1.1.1(179)

Something to be aware of I suppose so thanks for the heads Kings.

Stu

2009/9/29 Kingsley Charles <kingsley.char...@gmail.com>

> Yes, that is what I was trying to convey.
>
>
> Having "nonrandonseq" in static nat doesn't solve the issue.
>
> With regards
> Kings
>
>   On Tue, Sep 29, 2009 at 9:19 AM, Jamie
 Brogdon <
> jamie.brog...@verizon.net> wrote:
>
>>  Everyone,
>>
>>
>>
>> I have tried to get BGP w/ auth up and running using ?norandomseq? on the
>> static command to no avail. I continue to get invalid MD5 digest. It
>> definitely works if I disable randomization under the policy map, but not
>> doing it under static nat.
>>
>>
>>
>> Here is the configlet
>>
>> * *
>>
>> *static (inside,outside) 10.2.2.1 10.2.2.1 netmask 255.255.255.255
>> norandomseq *
>>
>> *static (outside,inside) 192.1.24.4 192.1.24.4 netmask 255.255.255.255
>> norandomseq*
>>
>> * *
>>
>> *The BGP session is between
 10.2.2.1 and 192.1.24.4*
>>
>> **Mar  1 01:17:50.119: %TCP-6-BADAUTH: Invalid MD5 digest from
>> 192.1.24.4(31123) to 10.2.2.1(179)*
>>
>>
>>
>>
>>
>> Has anyone else run into this?
>>
>>
>>
>> Thanks,
>> Jamie Brogdon
>>
>>
>>  ------------------------------
>>
>> *From:* ccie_security-boun...@onlinestudylist.com [mailto:
>> ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Kingsley
>> Charles
>> *Sent:* Tuesday, September 15,
 2009 8:44 AM
>> *To:* ccie_security@onlinestudylist.com
>> *Subject:* Re: [OSL | CCIE_Security] BPG across ASA
>>
>>
>>
>> Hi all
>>
>>
>>
>> One more clarification.
>>
>>
>>
>> In my setup, I have disabled nat-control using "no nat-control". Both the
>> interfaces connected to the BGP peers are with securty-level 100.
>>
>>
>>
>> Even, if NAT is disabled on the ASA, the tcp port number is randomized and
>> the following should be configured to disable it.
>>
>>
>>
>> "set connection random-sequence-number disable"
>>
>>
>>
>>
>>
>> Now, if I
 enable NAT control (nat-control), is the above command
>> suffice or should I include "norandomseq" in the static cmd.
>>
>>
>>
>> I tried configuring static without "norandomseq" and I don't see any
>> issues.
>>
>>
>>
>> It seems the policy map over-writes the NAT rule.
>>
>>
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>> On Tue, Sep 15, 2009 at 6:02 PM, Kingsley Charles <
>> kingsley.char...@gmail.com> wrote:
>>
>> Hi all
>>
>>
>>
>> Thanks to all for your inputs.
>>
>>
>>
>>
>>
>> With
 regards
>>
>> Kings
>>
>> On Tue, Sep 15, 2009 at 5:36 PM, Pieter-Jan Nefkens <
>> pjnefk...@nefkensadvies.nl> wrote:
>>
>> Hi,
>>
>>
>>
>> Check the following document:
>>
>>
>> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml
>>
>>
>>
>> If BGP authentication is used, the ASA must have the tcp-map enabled,
>> because the MD5 hash is also over the tcp options in the header. So you must
>> use a tcp-map option..
>>
>>
>>
>>
 Pieter-Jan
>>
>>
>>
>> On 15 sep 2009, at 13:56, Kingsley Charles wrote:
>>
>>
>>
>>   Hi all
>>
>>
>>
>> It's pretty straight forward and I am trying to have BGP across an ASA. I
>> get this error:
>>
>> %TCP-6-BADAUTH: No MD5 digest from <remote addr> (53396) to <local addr>
>> (179)
>>
>> I see this issue only when the BGP is crossing the ASA.
>>
>>
>>
>> What could be the reason?
>>
>>
>>
>> Even if ASA, modifies the packet, I should get  %TCP-6-BADAUTH: Invalid
>> MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>>
 _______________________________________________
>>
>>
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>>
>> ---
>>
>> Nefkens Advies
>>
>> Enk 26
>>
>> 4214 DD Vuren
>>
>> The Netherlands
>>
>>
>>
>> Tel: +31 183 634730
>>
>> Fax: +31 183 690113
>>
>> Cell: +31 654 323221
>>
>> Email: pjnefk...@nefkensadvies.nl
>>
>> Web: http://www.nefkensadvies.nl/
>>
>>
>>  Think before you
 print.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://onlinestudylist.com/pipermail/ccie_security/attachments/20090929/0fc2d514/attachment-0001.htm
 

------------------------------

Message: 2
Date: Tue, 29 Sep 2009 19:52:58 +0530
From: Kingsley Charles <kingsley.char...@gmail.com>
Subject: [OSL |
 CCIE_Security] Traceroute across ASA
To: ccie_security@onlinestudylist.com
Message-ID:
    <83a2316b0909290722l109e439cnb94b5ec9a3492...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi all

I am trying two solutions for getting "traceroute" across ASA to work. First
solution is working for me but the second solution is not working.
Am I missing something?


*Solution 1*

Allowing the "time-exceeded" and "unreachable" to outside interface.

access-list mine extended permit icmpacl any any time-exceeded
access-list mine extended
 permit icmpacl any any unreachable

access-group icmpany in interface outside


*Solution 2*
**
I am not allowing the "time-exceeded" and "unreachable" to outside
interface. Rather I am relying on inspect icmp and icmp error.

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error


With regards
Kings
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://onlinestudylist.com/pipermail/ccie_security/attachments/20090929/115ef110/attachment.htm
 

End of CCIE_Security Digest, Vol 39, Issue 119
**********************************************


       Keep up with people you care about with Yahoo! India Mail. Learn how.    
                                  
_________________________________________________________________
Windows Live Hotmail: Your friends can get your Facebook updates, right from 
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com