Hi Jay, I'd personally allow it in from the outside via ACL, and allow it from inside-out through regular high->low policy (assuming there isn't an ACL on the inside). However, we'd obviously have to make sure that's what the task asks for and that it doesn't violate any other tasks.
With all that said, both BGP peers will attempt to peer, but only one has to and only one will in the end anyway...meaning only one will end up in server role. Doesnt matter which one. If there's no ACL on the inside, neighbor responses will be allowed back in from the outside. Jason Sent from my iPhone On Sep 3, 2012, at 2:42 PM, Jay McMickle <[email protected]> wrote: > I went ahead and labbed this up but only to find what I had learned and > committed to memory was not correct about whom initiates the BGP open > session. :/ > > My ASA shows that the lower IP address sent the BGP OPEN to the higher IP. > > Jason- was your recommendation to only allow BGP from the inside to the > outside and let the routers work it out on their own? > > My Lab output: > ASA-LAB01(config)# sh conn > 8 in use, 18 most used > TCP outside 200.200.200.1:179 inside 220.220.220.2:45572, idle 0:00:00, bytes > 0, flags saA > > > Regards, > Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) > > > From: Jason Madsen <[email protected]> > To: Eugene Pefti <[email protected]> > Cc: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>; > "[email protected]" <[email protected]> > Sent: Monday, September 3, 2012 2:43 PM > Subject: Re: [OSL | CCIE_Security] BGP through ASA > > yep, i've always seen both BGP peers will initiate a connection to TCP 179 on > the other, and then once a connection is established, the other one drops > off. no need for outside ACL unless desired or specified by lab task. In > the real world, I consider it a best practice though. > > Jason > > > On Mon, Sep 3, 2012 at 1:13 PM, Eugene Pefti <[email protected]> wrote: > Thanks, Jay, > I wish it is very simple and clear. My lab routers don’t stick to the rules > you described. > Let’s drop authentication from the picture and look into the mere session > establishment. > > R5 -------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3 > > On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID > > router bgp 103 > no synchronization > bgp router-id 200.200.200.200 > bgp log-neighbor-changes > network 192.168.33.33 mask 255.255.255.255 > neighbor 192.168.7.5 remote-as 105 > neighbor 192.168.7.5 password cisco > neighbor 192.168.7.5 ebgp-multihop 255 > no auto-summary > > R5 > router bgp 105 > no synchronization > bgp log-neighbor-changes > network 192.168.55.55 mask 255.255.255.255 > neighbor 192.168.6.3 remote-as 103 > neighbor 192.168.6.3 password cisco > neighbor 192.168.6.3 ebgp-multihop 255 > > Then according to you I expect R3 will initiate BGP session and it should > fail because I don’t have a hole in ASA for BGP traffic. > But both peers establish the session and even though I see denies on the ASA: > > ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp > outside/192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit > [0xe560841e, 0x0] > > And R5 sees R1 as 192.168.6.3 not 200.200.200.200 > > R5#sh ip bgp sum > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down > State/PfxRcd > 192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31 3 > > Eugene > > From: Jay McMickle [mailto:[email protected]] > Sent: Monday, September 03, 2012 9:02 AM > To: Eugene Pefti; Fawad Khan > Cc: [email protected] > > Subject: Re: [OSL | CCIE_Security] BGP through ASA > > Gents: > One thing to remember- the BGP peer with the highest IP (used for peering) > will initiate to the lower IP peer via TCP 179. Use this to determine which > interface on the ASA to allow this one. The return traffic will be stateful. > > > If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP 179 > connection. > > One other item when considering BGP authenticated peers through an ASA is the > random sequence number. This is where most lose points on the exam. I found > a quick link for reference, pasting it below. > > Happy to help. Happy labbing. ;) > > *Just a sample, but this is included in IPX's BLS for CCIE Security* > http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/ > tcp-map BGP_FIX > tcp-options range 19 19 allow > ! > access-list BGP permit tcp any any eq 179 > ! > class BGP > match access-list BGP > !! could also use match protocol tcp eq bgp > ! > policy-map global_policy > class BGP > set connection advanced-options BGP_FIX > set connection random-sequence-number disable > > > > > Regards, > Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) > > > From: Eugene Pefti <[email protected]> > To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]> > Cc: "[email protected]" <[email protected]> > Sent: Sunday, September 2, 2012 9:03 PM > Subject: RE: [OSL | CCIE_Security] BGP through ASA > > I may have not be very clear or eloquent asking this question. > Would we be punished if add a permissive BGP traffic ACL entry on the ASA > outside interface if the session establishes owing to the BGP peer that > originates it from behind the ASA? > > Eugene > > From: Jay McMickle [mailto:[email protected]] > Sent: Sunday, September 02, 2012 7:00 PM > To: Fawad Khan > Cc: Eugene Pefti; [email protected] > Subject: Re: [OSL | CCIE_Security] BGP through ASA > > Just remember the keyword at the end of the ACL for BGP passing through the > ASA. ;) (google that) > > Regards, > Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) > Sent from my iPhone > > On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote: > For the exam I would do what the task say. And NOT overdo/ or over think. > > On Sunday, September 2, 2012, Eugene Pefti wrote: > I assume it is only for the situation when you need to control outbound > traffic. For the purpose of CCIE lab should we bother with outbound ACL? It > is trusted traffic per ASA security levels. > > Sent from iPhone > > On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote: > The best scenario would be to have acl on both interfaces to allow > communication from either side. > I would Ab inbound acl on the outside interface and inside interface. > > On Sunday, September 2, 2012, Eugene Pefti wrote: > Hello folks, > I have a rhetoric question. > I believe this is a classic task when BGP peers need to authenticate through > the ASA but my question is not about it. > One of my BGP peers is on outside of the ASA and the other is inside. The ACL > on ASA doesn’t allow BGP traffic from the outside peer and I see > corresponding denies when it tries to talk to the inside peer. > But nothing prevents the inside peer to establish the active session with its > outside peer and they successfully do it. > Now the question. Would you add the ACL on the ASA outside interface to > allow BGP traffic from the outside peer to the inside one or as long as they > can establish the session that originates from the inside BGP peer we are OK? > > Eugene > > > > -- > FNK, CCIE Security#35578 > > > -- > FNK, CCIE Security#35578 > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
