Thanks for clarifying, and I agree. Regards, Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone
On Sep 3, 2012, at 4:14 PM, Jason Madsen <[email protected]> wrote: > Hi Jay, > > I'd personally allow it in from the outside via ACL, and allow it from > inside-out through regular high->low policy (assuming there isn't an ACL on > the inside). However, we'd obviously have to make sure that's what the task > asks for and that it doesn't violate any other tasks. > > With all that said, both BGP peers will attempt to peer, but only one has to > and only one will in the end anyway...meaning only one will end up in server > role. Doesnt matter which one. If there's no ACL on the inside, neighbor > responses will be allowed back in from the outside. > > Jason > > Sent from my iPhone > > > On Sep 3, 2012, at 2:42 PM, Jay McMickle <[email protected]> wrote: > >> I went ahead and labbed this up but only to find what I had learned and >> committed to memory was not correct about whom initiates the BGP open >> session. :/ >> >> My ASA shows that the lower IP address sent the BGP OPEN to the higher IP. >> >> Jason- was your recommendation to only allow BGP from the inside to the >> outside and let the routers work it out on their own? >> >> My Lab output: >> ASA-LAB01(config)# sh conn >> 8 in use, 18 most used >> TCP outside 200.200.200.1:179 inside 220.220.220.2:45572, idle 0:00:00, >> bytes 0, flags saA >> >> >> Regards, >> Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) >> >> >> From: Jason Madsen <[email protected]> >> To: Eugene Pefti <[email protected]> >> Cc: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>; >> "[email protected]" <[email protected]> >> Sent: Monday, September 3, 2012 2:43 PM >> Subject: Re: [OSL | CCIE_Security] BGP through ASA >> >> yep, i've always seen both BGP peers will initiate a connection to TCP 179 >> on the other, and then once a connection is established, the other one drops >> off. no need for outside ACL unless desired or specified by lab task. In >> the real world, I consider it a best practice though. >> >> Jason >> >> >> On Mon, Sep 3, 2012 at 1:13 PM, Eugene Pefti <[email protected]> wrote: >> Thanks, Jay, >> I wish it is very simple and clear. My lab routers don’t stick to the rules >> you described. >> Let’s drop authentication from the picture and look into the mere session >> establishment. >> >> R5 -------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3 >> >> On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID >> >> router bgp 103 >> no synchronization >> bgp router-id 200.200.200.200 >> bgp log-neighbor-changes >> network 192.168.33.33 mask 255.255.255.255 >> neighbor 192.168.7.5 remote-as 105 >> neighbor 192.168.7.5 password cisco >> neighbor 192.168.7.5 ebgp-multihop 255 >> no auto-summary >> >> R5 >> router bgp 105 >> no synchronization >> bgp log-neighbor-changes >> network 192.168.55.55 mask 255.255.255.255 >> neighbor 192.168.6.3 remote-as 103 >> neighbor 192.168.6.3 password cisco >> neighbor 192.168.6.3 ebgp-multihop 255 >> >> Then according to you I expect R3 will initiate BGP session and it should >> fail because I don’t have a hole in ASA for BGP traffic. >> But both peers establish the session and even though I see denies on the ASA: >> >> ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp >> outside/192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit >> [0xe560841e, 0x0] >> >> And R5 sees R1 as 192.168.6.3 not 200.200.200.200 >> >> R5#sh ip bgp sum >> >> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down >> State/PfxRcd >> 192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31 3 >> >> Eugene >> >> From: Jay McMickle [mailto:[email protected]] >> Sent: Monday, September 03, 2012 9:02 AM >> To: Eugene Pefti; Fawad Khan >> Cc: [email protected] >> >> Subject: Re: [OSL | CCIE_Security] BGP through ASA >> >> Gents: >> One thing to remember- the BGP peer with the highest IP (used for peering) >> will initiate to the lower IP peer via TCP 179. Use this to determine which >> interface on the ASA to allow this one. The return traffic will be >> stateful. >> >> If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP 179 >> connection. >> >> One other item when considering BGP authenticated peers through an ASA is >> the random sequence number. This is where most lose points on the exam. I >> found a quick link for reference, pasting it below. >> >> Happy to help. Happy labbing. ;) >> >> *Just a sample, but this is included in IPX's BLS for CCIE Security* >> http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/ >> tcp-map BGP_FIX >> tcp-options range 19 19 allow >> ! >> access-list BGP permit tcp any any eq 179 >> ! >> class BGP >> match access-list BGP >> !! could also use match protocol tcp eq bgp >> ! >> policy-map global_policy >> class BGP >> set connection advanced-options BGP_FIX >> set connection random-sequence-number disable >> >> >> >> >> Regards, >> Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) >> >> >> From: Eugene Pefti <[email protected]> >> To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]> >> Cc: "[email protected]" <[email protected]> >> Sent: Sunday, September 2, 2012 9:03 PM >> Subject: RE: [OSL | CCIE_Security] BGP through ASA >> >> I may have not be very clear or eloquent asking this question. >> Would we be punished if add a permissive BGP traffic ACL entry on the ASA >> outside interface if the session establishes owing to the BGP peer that >> originates it from behind the ASA? >> >> Eugene >> >> From: Jay McMickle [mailto:[email protected]] >> Sent: Sunday, September 02, 2012 7:00 PM >> To: Fawad Khan >> Cc: Eugene Pefti; [email protected] >> Subject: Re: [OSL | CCIE_Security] BGP through ASA >> >> Just remember the keyword at the end of the ACL for BGP passing through the >> ASA. ;) (google that) >> >> Regards, >> Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) >> Sent from my iPhone >> >> On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote: >> For the exam I would do what the task say. And NOT overdo/ or over think. >> >> On Sunday, September 2, 2012, Eugene Pefti wrote: >> I assume it is only for the situation when you need to control outbound >> traffic. For the purpose of CCIE lab should we bother with outbound ACL? It >> is trusted traffic per ASA security levels. >> >> Sent from iPhone >> >> On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote: >> The best scenario would be to have acl on both interfaces to allow >> communication from either side. >> I would Ab inbound acl on the outside interface and inside interface. >> >> On Sunday, September 2, 2012, Eugene Pefti wrote: >> Hello folks, >> I have a rhetoric question. >> I believe this is a classic task when BGP peers need to authenticate through >> the ASA but my question is not about it. >> One of my BGP peers is on outside of the ASA and the other is inside. The >> ACL on ASA doesn’t allow BGP traffic from the outside peer and I see >> corresponding denies when it tries to talk to the inside peer. >> But nothing prevents the inside peer to establish the active session with >> its outside peer and they successfully do it. >> Now the question. Would you add the ACL on the ASA outside interface to >> allow BGP traffic from the outside peer to the inside one or as long as they >> can establish the session that originates from the inside BGP peer we are OK? >> >> Eugene >> >> >> >> -- >> FNK, CCIE Security#35578 >> >> >> -- >> FNK, CCIE Security#35578 >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
