I went ahead and labbed this up but only to find what I had learned and
committed to memory was not correct about whom initiates the BGP open session.
:/
My ASA shows that the lower IP address sent the BGP OPEN to the higher IP.
Jason- was your recommendation to only allow BGP from the inside to the outside
and let the routers work it out on their own?
My Lab output:
ASA-LAB01(config)# sh conn
8 in use, 18 most used
TCP outside 200.200.200.1:179 inside 220.220.220.2:45572, idle 0:00:00, bytes
0, flags saA
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
________________________________
From: Jason Madsen <[email protected]>
To: Eugene Pefti <[email protected]>
Cc: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>;
"[email protected]" <[email protected]>
Sent: Monday, September 3, 2012 2:43 PM
Subject: Re: [OSL | CCIE_Security] BGP through ASA
yep, i've always seen both BGP peers will initiate a connection to TCP 179 on
the other, and then once a connection is established, the other one drops off.
no need for outside ACL unless desired or specified by lab task. In the real
world, I consider it a best practice though.
Jason
On Mon, Sep 3, 2012 at 1:13 PM, Eugene Pefti <[email protected]> wrote:
Thanks, Jay,
>I wish it is very simple and clear. My lab routers don’t stick to the rules
>you described.
>Let’s drop authentication from the picture and look into the mere session
>establishment.
>
>R5 -------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3
>
>On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID
>
>router bgp 103
> no synchronization
> bgp router-id 200.200.200.200
> bgp log-neighbor-changes
> network 192.168.33.33 mask 255.255.255.255
> neighbor 192.168.7.5 remote-as 105
> neighbor 192.168.7.5 password cisco
> neighbor 192.168.7.5 ebgp-multihop 255
> no auto-summary
>
>R5
>router bgp 105
> no synchronization
> bgp log-neighbor-changes
> network 192.168.55.55 mask 255.255.255.255
> neighbor 192.168.6.3 remote-as 103
> neighbor 192.168.6.3 password cisco
> neighbor 192.168.6.3 ebgp-multihop 255
>
>Then according to you I expect R3 will initiate BGP session and it should
>fail because I don’t have a hole in ASA for BGP traffic.
>But both peers establish the session and even though I see denies on the ASA:
>
>ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp
>outside/192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit
>[0xe560841e, 0x0]
>
>And R5 sees R1 as 192.168.6.3 not 200.200.200.200
>
>R5#sh ip bgp sum
>
>Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>State/PfxRcd
>192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31 3
>
>Eugene
>
>From:Jay McMickle [mailto:[email protected]]
>Sent: Monday, September 03, 2012 9:02 AM
>To: Eugene Pefti; Fawad Khan
>Cc: [email protected]
>
>Subject: Re: [OSL | CCIE_Security] BGP through ASA
>
>Gents:
>One thing to remember- the BGP peer with the highest IP (used for peering)
>will initiate to the lower IP peer via TCP 179. Use this to determine which
>interface on the ASA to allow this one. The return traffic will be stateful.
>
>If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP 179
>connection.
>
>One other item when considering BGP authenticated peers through an ASA is the
>random sequence number. This is where most lose points on the exam. I found
>a quick link for reference, pasting it below.
>
>Happy to help. Happy labbing. ;)
>
>*Just a sample, but this is included in IPX's BLS for CCIE Security*
>http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/
>tcp-map BGP_FIX
> tcp-options range 19 19 allow
>!
>access-list BGP permit tcp any any eq 179
>!
>class BGP
> match access-list BGP
> !! could also use match protocol tcp eq bgp
>!
>policy-map global_policy
> class BGP
> set connection advanced-options BGP_FIX
> set connection random-sequence-number disable
>
>
>
>
>Regards,
>Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
>
>
>
>________________________________
>
>From:Eugene Pefti <[email protected]>
>To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>
>Cc: "[email protected]" <[email protected]>
>Sent: Sunday, September 2, 2012 9:03 PM
>Subject: RE: [OSL | CCIE_Security] BGP through ASA
>
>I may have not be very clear or eloquent asking this question.
>Would we be punished if add a permissive BGP traffic ACL entry on the ASA
>outside interface if the session establishes owing to the BGP peer that
>originates it from behind the ASA?
>
>Eugene
>
>From:Jay McMickle [mailto:[email protected]]
>Sent: Sunday, September 02, 2012 7:00 PM
>To: Fawad Khan
>Cc: Eugene Pefti; [email protected]
>Subject: Re: [OSL | CCIE_Security] BGP through ASA
>
>Just remember the keyword at the end of the ACL for BGP passing through the
>ASA. ;) (google that)
>
>Regards,
>Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)
>Sent from my iPhone
>
>On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote:
>For the exam I would do what the task say. And NOT overdo/ or over think.
>>
>>On Sunday, September 2, 2012, Eugene Pefti wrote:
>>I assume it is only for the situation when you need to control outbound
>>traffic. For the purpose of CCIE lab should we bother with outbound ACL? It
>>is trusted traffic per ASA security levels.
>>
>>Sent from iPhone
>>
>>On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote:
>>The best scenario would be to have acl on both interfaces to allow
>>communication from either side.
>>>I would Ab inbound acl on the outside interface and inside interface.
>>>
>>>On Sunday, September 2, 2012, Eugene Pefti wrote:
>>>Hello folks,
>>>I have a rhetoric question.
>>>I believe this is a classic task when BGP peers need to authenticate through
>>>the ASA but my question is not about it.
>>>One of my BGP peers is on outside of the ASA and the other is inside. The
>>>ACL on ASA doesn’t allow BGP traffic from the outside peer and I see
>>>corresponding denies when it tries to talk to the inside peer.
>>>But nothing prevents the inside peer to establish the active session with
>>>its outside peer and they successfully do it.
>>>Now the question. Would you add the ACL on the ASA outside interface to
>>>allow BGP traffic from the outside peer to the inside one or as long as they
>>>can establish the session that originates from the inside BGP peer we are OK?
>>>
>>>Eugene
>>>
>>>
>>>
>>>--
>>>FNK, CCIE Security#35578
>>
>>
>>--
>>FNK, CCIE Security#35578
>_______________________________________________
>>For more information regarding industry leading CCIE Lab training, please
>>visit www.ipexpert.com
>>
>>Are you a CCNP or CCIE and looking for a job? Check out
>>www.PlatinumPlacement.com
>
>_______________________________________________
>For more information regarding industry leading CCIE Lab training, please
>visit www.ipexpert.com
>
>Are you a CCNP or CCIE and looking for a job? Check out
>www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
