yep, i've always seen both BGP peers will initiate a connection to TCP 179 on the other, and then once a connection is established, the other one drops off. no need for outside ACL unless desired or specified by lab task. In the real world, I consider it a best practice though.
Jason On Mon, Sep 3, 2012 at 1:13 PM, Eugene Pefti <[email protected]>wrote: > Thanks, Jay,**** > > I wish it is very simple and clear. My lab routers don’t stick to the > rules you described.**** > > Let’s drop authentication from the picture and look into the mere session > establishment.**** > > ** ** > > R5 > -------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3 > **** > > ** ** > > On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID**** > > ** ** > > router bgp 103**** > > no synchronization**** > > bgp router-id 200.200.200.200**** > > bgp log-neighbor-changes**** > > network 192.168.33.33 mask 255.255.255.255**** > > neighbor 192.168.7.5 remote-as 105**** > > neighbor 192.168.7.5 password cisco**** > > neighbor 192.168.7.5 ebgp-multihop 255**** > > no auto-summary**** > > ** ** > > R5 **** > > router bgp 105**** > > no synchronization**** > > bgp log-neighbor-changes**** > > network 192.168.55.55 mask 255.255.255.255**** > > neighbor 192.168.6.3 remote-as 103**** > > neighbor 192.168.6.3 password cisco**** > > neighbor 192.168.6.3 ebgp-multihop 255**** > > ** ** > > Then according to you I expect R3 will initiate BGP session and it should > fail because I don’t have a hole in ASA for BGP traffic.**** > > But both peers establish the session and even though I see denies on the > ASA:**** > > ** ** > > ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp outside/ > 192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit > [0xe560841e, 0x0]**** > > ** ** > > And R5 sees R1 as 192.168.6.3 not 200.200.200.200**** > > ** ** > > R5#sh ip bgp sum **** > > ** ** > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down > State/PfxRcd**** > > 192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31 > 3**** > > ** ** > > Eugene**** > > ** ** > > *From:* Jay McMickle [mailto:[email protected]] > *Sent:* Monday, September 03, 2012 9:02 AM > *To:* Eugene Pefti; Fawad Khan > *Cc:* [email protected] > > *Subject:* Re: [OSL | CCIE_Security] BGP through ASA**** > > ** ** > > Gents: > One thing to remember- the BGP peer with the highest IP (used for peering) > will initiate to the lower IP peer via TCP 179. Use this to determine > which interface on the ASA to allow this one. The return traffic will be > stateful. > > If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP > 179 connection. > > One other item when considering BGP authenticated peers through an ASA is > the random sequence number. This is where most lose points on the exam. I > found a quick link for reference, pasting it below. > > Happy to help. Happy labbing. ;) > > *Just a sample, but this is included in IPX's BLS for CCIE Security* > > http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/ > **** > > tcp-map BGP_FIX**** > > tcp-options range 19 19 allow**** > > !**** > > access-list BGP permit tcp any any eq 179**** > > !**** > > class BGP**** > > match access-list BGP**** > > !! could also use match protocol tcp eq bgp**** > > !**** > > policy-map global_policy**** > > class BGP**** > > set connection advanced-options BGP_FIX**** > > set connection random-sequence-number disable**** > > ** ** > > ** ** > > **** > > **** > > Regards,**** > > Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) > **** > > ** ** > ------------------------------ > > *From:* Eugene Pefti <[email protected]> > *To:* Jay McMickle <[email protected]>; Fawad Khan <[email protected]> > > *Cc:* "[email protected]" < > [email protected]> > *Sent:* Sunday, September 2, 2012 9:03 PM > *Subject:* RE: [OSL | CCIE_Security] BGP through ASA**** > > ** ** > > I may have not be very clear or eloquent asking this question.**** > > Would we be punished if add a permissive BGP traffic ACL entry on the ASA > outside interface if the session establishes owing to the BGP peer that > originates it from behind the ASA?**** > > **** > > Eugene**** > > **** > > *From:* Jay McMickle [mailto:[email protected]] > *Sent:* Sunday, September 02, 2012 7:00 PM > *To:* Fawad Khan > *Cc:* Eugene Pefti; [email protected] > *Subject:* Re: [OSL | CCIE_Security] BGP through ASA**** > > **** > > Just remember the keyword at the end of the ACL for BGP passing through > the ASA. ;) (google that) > > Regards,**** > > Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)**** > > Sent from my iPhone**** > > > On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote:**** > > For the exam I would do what the task say. And NOT overdo/ or over think. > > On Sunday, September 2, 2012, Eugene Pefti wrote:**** > > I assume it is only for the situation when you need to control outbound > traffic. For the purpose of CCIE lab should we bother with outbound ACL? It > is trusted traffic per ASA security levels. > > Sent from iPhone**** > > > On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote:**** > > The best scenario would be to have acl on both interfaces to allow > communication from either side. **** > > I would Ab inbound acl on the outside interface and inside interface. > > On Sunday, September 2, 2012, Eugene Pefti wrote:**** > > Hello folks,**** > > I have a rhetoric question.**** > > I believe this is a classic task when BGP peers need to authenticate > through the ASA but my question is not about it.**** > > One of my BGP peers is on outside of the ASA and the other is inside. The > ACL on ASA doesn’t allow BGP traffic from the outside peer and I see > corresponding denies when it tries to talk to the inside peer.**** > > But nothing prevents the inside peer to establish the active session with > its outside peer and they successfully do it.**** > > Now the question. Would you add the ACL on the ASA outside interface to > allow BGP traffic from the outside peer to the inside one or as long as > they can establish the session that originates from the inside BGP peer we > are OK?**** > > **** > > Eugene**** > > **** > > > > -- > FNK, CCIE Security#35578**** > > > > -- > FNK, CCIE Security#35578**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
