Thanks, Jay, I wish it is very simple and clear. My lab routers don’t stick to the rules you described. Let’s drop authentication from the picture and look into the mere session establishment.
R5 -------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3 On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID router bgp 103 no synchronization bgp router-id 200.200.200.200 bgp log-neighbor-changes network 192.168.33.33 mask 255.255.255.255 neighbor 192.168.7.5 remote-as 105 neighbor 192.168.7.5 password cisco neighbor 192.168.7.5 ebgp-multihop 255 no auto-summary R5 router bgp 105 no synchronization bgp log-neighbor-changes network 192.168.55.55 mask 255.255.255.255 neighbor 192.168.6.3 remote-as 103 neighbor 192.168.6.3 password cisco neighbor 192.168.6.3 ebgp-multihop 255 Then according to you I expect R3 will initiate BGP session and it should fail because I don’t have a hole in ASA for BGP traffic. But both peers establish the session and even though I see denies on the ASA: ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp outside/192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit [0xe560841e, 0x0] And R5 sees R1 as 192.168.6.3 not 200.200.200.200 R5#sh ip bgp sum Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31 3 Eugene From: Jay McMickle [mailto:[email protected]] Sent: Monday, September 03, 2012 9:02 AM To: Eugene Pefti; Fawad Khan Cc: [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Gents: One thing to remember- the BGP peer with the highest IP (used for peering) will initiate to the lower IP peer via TCP 179. Use this to determine which interface on the ASA to allow this one. The return traffic will be stateful. If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP 179 connection. One other item when considering BGP authenticated peers through an ASA is the random sequence number. This is where most lose points on the exam. I found a quick link for reference, pasting it below. Happy to help. Happy labbing. ;) *Just a sample, but this is included in IPX's BLS for CCIE Security* http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/ tcp-map BGP_FIX tcp-options range 19 19 allow ! access-list BGP permit tcp any any eq 179 ! class BGP match access-list BGP !! could also use match protocol tcp eq bgp ! policy-map global_policy class BGP set connection advanced-options BGP_FIX set connection random-sequence-number disable Regards, Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) ________________________________ From: Eugene Pefti <[email protected]> To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Sunday, September 2, 2012 9:03 PM Subject: RE: [OSL | CCIE_Security] BGP through ASA I may have not be very clear or eloquent asking this question. Would we be punished if add a permissive BGP traffic ACL entry on the ASA outside interface if the session establishes owing to the BGP peer that originates it from behind the ASA? Eugene From: Jay McMickle [mailto:[email protected]] Sent: Sunday, September 02, 2012 7:00 PM To: Fawad Khan Cc: Eugene Pefti; [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Just remember the keyword at the end of the ACL for BGP passing through the ASA. ;) (google that) Regards, Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]<mailto:[email protected]>> wrote: For the exam I would do what the task say. And NOT overdo/ or over think. On Sunday, September 2, 2012, Eugene Pefti wrote: I assume it is only for the situation when you need to control outbound traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is trusted traffic per ASA security levels. Sent from iPhone On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote: The best scenario would be to have acl on both interfaces to allow communication from either side. I would Ab inbound acl on the outside interface and inside interface. On Sunday, September 2, 2012, Eugene Pefti wrote: Hello folks, I have a rhetoric question. I believe this is a classic task when BGP peers need to authenticate through the ASA but my question is not about it. One of my BGP peers is on outside of the ASA and the other is inside. The ACL on ASA doesn’t allow BGP traffic from the outside peer and I see corresponding denies when it tries to talk to the inside peer. But nothing prevents the inside peer to establish the active session with its outside peer and they successfully do it. Now the question. Would you add the ACL on the ASA outside interface to allow BGP traffic from the outside peer to the inside one or as long as they can establish the session that originates from the inside BGP peer we are OK? Eugene -- FNK, CCIE Security#35578 -- FNK, CCIE Security#35578 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.platinumplacement.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
