Gents,
Unless you have specific configuration to set your inside router to initiate
BGP (neighbor x.x.x.x transport connection-mode active) and your outside router
to just be a receiver (neighbor x.x.x.x transport connection-mode passive) I
advise to open this connection to be set up from both sides.
Of course, since this is Security track you do not need to be an expert in R&S
but you must be a Security expert. Thus, you must know how to open the
connection which is by default blocked by the ASA (see log). If you are unsure,
this is something you can as the proctor.
Regards,
Piotr
From: Jay McMickle
Sent: Tuesday, September 04, 2012 3:18 PM
To: Jason Madsen
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] BGP through ASA
Thanks for clarifying, and I agree.
Regards,
Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)
Sent from my iPhone
On Sep 3, 2012, at 4:14 PM, Jason Madsen <[email protected]> wrote:
Hi Jay,
I'd personally allow it in from the outside via ACL, and allow it from
inside-out through regular high->low policy (assuming there isn't an ACL on the
inside). However, we'd obviously have to make sure that's what the task asks
for and that it doesn't violate any other tasks.
With all that said, both BGP peers will attempt to peer, but only one has to
and only one will in the end anyway...meaning only one will end up in server
role. Doesnt matter which one. If there's no ACL on the inside, neighbor
responses will be allowed back in from the outside.
Jason
Sent from my iPhone
On Sep 3, 2012, at 2:42 PM, Jay McMickle <[email protected]> wrote:
I went ahead and labbed this up but only to find what I had learned and
committed to memory was not correct about whom initiates the BGP open session.
:/
My ASA shows that the lower IP address sent the BGP OPEN to the higher IP.
Jason- was your recommendation to only allow BGP from the inside to the
outside and let the routers work it out on their own?
My Lab output:
ASA-LAB01(config)# sh conn
8 in use, 18 most used
TCP outside 200.200.200.1:179 inside 220.220.220.2:45572, idle 0:00:00,
bytes 0, flags saA
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
----------------------------------------------------------------------------
From: Jason Madsen <[email protected]>
To: Eugene Pefti <[email protected]>
Cc: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>;
"[email protected]" <[email protected]>
Sent: Monday, September 3, 2012 2:43 PM
Subject: Re: [OSL | CCIE_Security] BGP through ASA
yep, i've always seen both BGP peers will initiate a connection to TCP 179
on the other, and then once a connection is established, the other one drops
off. no need for outside ACL unless desired or specified by lab task. In the
real world, I consider it a best practice though.
Jason
On Mon, Sep 3, 2012 at 1:13 PM, Eugene Pefti <[email protected]>
wrote:
Thanks, Jay,
I wish it is very simple and clear. My lab routers don’t stick to the
rules you described.
Let’s drop authentication from the picture and look into the mere session
establishment.
R5
-------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3
On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID
router bgp 103
no synchronization
bgp router-id 200.200.200.200
bgp log-neighbor-changes
network 192.168.33.33 mask 255.255.255.255
neighbor 192.168.7.5 remote-as 105
neighbor 192.168.7.5 password cisco
neighbor 192.168.7.5 ebgp-multihop 255
no auto-summary
R5
router bgp 105
no synchronization
bgp log-neighbor-changes
network 192.168.55.55 mask 255.255.255.255
neighbor 192.168.6.3 remote-as 103
neighbor 192.168.6.3 password cisco
neighbor 192.168.6.3 ebgp-multihop 255
Then according to you I expect R3 will initiate BGP session and it
should fail because I don’t have a hole in ASA for BGP traffic.
But both peers establish the session and even though I see denies on the
ASA:
ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp
outside/192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit
[0xe560841e, 0x0]
And R5 sees R1 as 192.168.6.3 not 200.200.200.200
R5#sh ip bgp sum
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31
3
Eugene
From: Jay McMickle [mailto:[email protected]]
Sent: Monday, September 03, 2012 9:02 AM
To: Eugene Pefti; Fawad Khan
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] BGP through ASA
Gents:
One thing to remember- the BGP peer with the highest IP (used for
peering) will initiate to the lower IP peer via TCP 179. Use this to determine
which interface on the ASA to allow this one. The return traffic will be
stateful.
If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP
179 connection.
One other item when considering BGP authenticated peers through an ASA is
the random sequence number. This is where most lose points on the exam. I
found a quick link for reference, pasting it below.
Happy to help. Happy labbing. ;)
*Just a sample, but this is included in IPX's BLS for CCIE Security*
http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/
tcp-map BGP_FIX tcp-options range 19 19 allow!access-list BGP permit tcp any
any eq 179!class BGP match access-list BGP !! could also use match protocol
tcp eq bgp!policy-map global_policy class BGP set connection
advanced-options BGP_FIX set connection random-sequence-number disable
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
--------------------------------------------------------------------------
From: Eugene Pefti <[email protected]>
To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>
Cc: "[email protected]"
<[email protected]>
Sent: Sunday, September 2, 2012 9:03 PM
Subject: RE: [OSL | CCIE_Security] BGP through ASA
I may have not be very clear or eloquent asking this question.
Would we be punished if add a permissive BGP traffic ACL entry on the ASA
outside interface if the session establishes owing to the BGP peer that
originates it from behind the ASA?
Eugene
From: Jay McMickle [mailto:[email protected]]
Sent: Sunday, September 02, 2012 7:00 PM
To: Fawad Khan
Cc: Eugene Pefti; [email protected]
Subject: Re: [OSL | CCIE_Security] BGP through ASA
Just remember the keyword at the end of the ACL for BGP passing through
the ASA. ;) (google that)
Regards,
Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)
Sent from my iPhone
On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote:
For the exam I would do what the task say. And NOT overdo/ or over
think.
On Sunday, September 2, 2012, Eugene Pefti wrote:
I assume it is only for the situation when you need to control outbound
traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is
trusted traffic per ASA security levels.
Sent from iPhone
On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote:
The best scenario would be to have acl on both interfaces to allow
communication from either side.
I would Ab inbound acl on the outside interface and inside interface.
On Sunday, September 2, 2012, Eugene Pefti wrote:
Hello folks,
I have a rhetoric question.
I believe this is a classic task when BGP peers need to authenticate
through the ASA but my question is not about it.
One of my BGP peers is on outside of the ASA and the other is inside.
The ACL on ASA doesn’t allow BGP traffic from the outside peer and I see
corresponding denies when it tries to talk to the inside peer.
But nothing prevents the inside peer to establish the active session
with its outside peer and they successfully do it.
Now the question. Would you add the ACL on the ASA outside
interface to allow BGP traffic from the outside peer to the inside one or as
long as they can establish the session that originates from the inside BGP peer
we are OK?
Eugene
--
FNK, CCIE Security#35578
--
FNK, CCIE Security#35578
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
=
--------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
