Gents:
One thing to remember- the BGP peer with the highest IP (used for peering) will
initiate to the lower IP peer via TCP 179. Use this to determine which
interface on the ASA to allow this one. The return traffic will be stateful.
If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP 179
connection.
One other item when considering BGP authenticated peers through an ASA is the
random sequence number. This is where most lose points on the exam. I found a
quick link for reference, pasting it below.
Happy to help. Happy labbing. ;)
*Just a sample, but this is included in IPX's BLS for CCIE Security*
http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/
tcp-map BGP_FIX tcp-options range 19 19 allow
!
access-list BGP permit tcp any any eq 179
!
class BGP match access-list BGP !! could also use match protocol tcp eq bgp
!
policy-map global_policy class BGP set connection advanced-options BGP_FIX set
connection random-sequence-number disable
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
________________________________
From: Eugene Pefti <[email protected]>
To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Sunday, September 2, 2012 9:03 PM
Subject: RE: [OSL | CCIE_Security] BGP through ASA
I may have not be very clear or eloquent asking this question.
Would we be punished if add a permissive BGP traffic ACL entry on the ASA
outside interface if the session establishes owing to the BGP peer that
originates it from behind the ASA?
Eugene
From:Jay McMickle [mailto:[email protected]]
Sent: Sunday, September 02, 2012 7:00 PM
To: Fawad Khan
Cc: Eugene Pefti; [email protected]
Subject: Re: [OSL | CCIE_Security] BGP through ASA
Just remember the keyword at the end of the ACL for BGP passing through the
ASA. ;) (google that)
Regards,
Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)
Sent from my iPhone
On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote:
For the exam I would do what the task say. And NOT overdo/ or over think.
>
>On Sunday, September 2, 2012, Eugene Pefti wrote:
>I assume it is only for the situation when you need to control outbound
>traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is
>trusted traffic per ASA security levels.
>
>Sent from iPhone
>
>On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote:
>The best scenario would be to have acl on both interfaces to allow
>communication from either side.
>>I would Ab inbound acl on the outside interface and inside interface.
>>
>>On Sunday, September 2, 2012, Eugene Pefti wrote:
>>Hello folks,
>>I have a rhetoric question.
>>I believe this is a classic task when BGP peers need to authenticate through
>>the ASA but my question is not about it.
>>One of my BGP peers is on outside of the ASA and the other is inside. The ACL
>>on ASA doesn’t allow BGP traffic from the outside peer and I see
>>corresponding denies when it tries to talk to the inside peer.
>>But nothing prevents the inside peer to establish the active session with its
>>outside peer and they successfully do it.
>>Now the question. Would you add the ACL on the ASA outside interface to
>>allow BGP traffic from the outside peer to the inside one or as long as they
>>can establish the session that originates from the inside BGP peer we are OK?
>>
>>Eugene
>>
>>
>>
>>--
>>FNK, CCIE Security#35578
>
>
>--
>FNK, CCIE Security#35578
_______________________________________________
>For more information regarding industry leading CCIE Lab training, please
>visit www.ipexpert.com
>
>Are you a CCNP or CCIE and looking for a job? Check out
>www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
