Agreed. Dot.
From: Eugene Pefti Sent: Wednesday, September 05, 2012 8:56 AM To: Piotr Matusiak ; Jay McMickle ; Jason Madsen Cc: [email protected] Subject: RE: [OSL | CCIE_Security] BGP through ASA Thanks, Piotr. Let’s put a dot in this discussion ;) Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Matusiak Sent: Tuesday, September 04, 2012 12:18 PM To: Jay McMickle; Jason Madsen Cc: [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Gents, Unless you have specific configuration to set your inside router to initiate BGP (neighbor x.x.x.x transport connection-mode active) and your outside router to just be a receiver (neighbor x.x.x.x transport connection-mode passive) I advise to open this connection to be set up from both sides. Of course, since this is Security track you do not need to be an expert in R&S but you must be a Security expert. Thus, you must know how to open the connection which is by default blocked by the ASA (see log). If you are unsure, this is something you can as the proctor. Regards, Piotr From: Jay McMickle Sent: Tuesday, September 04, 2012 3:18 PM To: Jason Madsen Cc: [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Thanks for clarifying, and I agree. Regards, Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone On Sep 3, 2012, at 4:14 PM, Jason Madsen <[email protected]> wrote: Hi Jay, I'd personally allow it in from the outside via ACL, and allow it from inside-out through regular high->low policy (assuming there isn't an ACL on the inside). However, we'd obviously have to make sure that's what the task asks for and that it doesn't violate any other tasks. With all that said, both BGP peers will attempt to peer, but only one has to and only one will in the end anyway...meaning only one will end up in server role. Doesnt matter which one. If there's no ACL on the inside, neighbor responses will be allowed back in from the outside. Jason Sent from my iPhone On Sep 3, 2012, at 2:42 PM, Jay McMickle <[email protected]> wrote: I went ahead and labbed this up but only to find what I had learned and committed to memory was not correct about whom initiates the BGP open session. :/ My ASA shows that the lower IP address sent the BGP OPEN to the higher IP. Jason- was your recommendation to only allow BGP from the inside to the outside and let the routers work it out on their own? My Lab output: ASA-LAB01(config)# sh conn 8 in use, 18 most used TCP outside 200.200.200.1:179 inside 220.220.220.2:45572, idle 0:00:00, bytes 0, flags saA Regards, Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) ---------------------------------------------------------------------------- From: Jason Madsen <[email protected]> To: Eugene Pefti <[email protected]> Cc: Jay McMickle <[email protected]>; Fawad Khan <[email protected]>; "[email protected]" <[email protected]> Sent: Monday, September 3, 2012 2:43 PM Subject: Re: [OSL | CCIE_Security] BGP through ASA yep, i've always seen both BGP peers will initiate a connection to TCP 179 on the other, and then once a connection is established, the other one drops off. no need for outside ACL unless desired or specified by lab task. In the real world, I consider it a best practice though. Jason On Mon, Sep 3, 2012 at 1:13 PM, Eugene Pefti <[email protected]> wrote: Thanks, Jay, I wish it is very simple and clear. My lab routers don’t stick to the rules you described. Let’s drop authentication from the picture and look into the mere session establishment. R5 -------(192.168.7.0)-------(inside)ASA(outside)------(192.168.6.0)------R3 On R3 I set router ID to be 200.200.200.200 to be higher than R5 ID router bgp 103 no synchronization bgp router-id 200.200.200.200 bgp log-neighbor-changes network 192.168.33.33 mask 255.255.255.255 neighbor 192.168.7.5 remote-as 105 neighbor 192.168.7.5 password cisco neighbor 192.168.7.5 ebgp-multihop 255 no auto-summary R5 router bgp 105 no synchronization bgp log-neighbor-changes network 192.168.55.55 mask 255.255.255.255 neighbor 192.168.6.3 remote-as 103 neighbor 192.168.6.3 password cisco neighbor 192.168.6.3 ebgp-multihop 255 Then according to you I expect R3 will initiate BGP session and it should fail because I don’t have a hole in ASA for BGP traffic. But both peers establish the session and even though I see denies on the ASA: ASA2# %ASA-4-106100: access-list OUTSIDE-INBOUND denied tcp outside/192.168.6.3(18358) -> inside/192.168.7.5(179) hit-cnt 1 first hit [0xe560841e, 0x0] And R5 sees R1 as 192.168.6.3 not 200.200.200.200 R5#sh ip bgp sum Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.6.3 4 103 12277 10429 3703 0 0 00:12:31 3 Eugene From: Jay McMickle [mailto:[email protected]] Sent: Monday, September 03, 2012 9:02 AM To: Eugene Pefti; Fawad Khan Cc: [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Gents: One thing to remember- the BGP peer with the highest IP (used for peering) will initiate to the lower IP peer via TCP 179. Use this to determine which interface on the ASA to allow this one. The return traffic will be stateful. If R1 has 200.1.1.1 and R2 has 200.2.2.2, R2 would then initiate the TCP 179 connection. One other item when considering BGP authenticated peers through an ASA is the random sequence number. This is where most lose points on the exam. I found a quick link for reference, pasting it below. Happy to help. Happy labbing. ;) *Just a sample, but this is included in IPX's BLS for CCIE Security* http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/ tcp-map BGP_FIX tcp-options range 19 19 allow!access-list BGP permit tcp any any eq 179!class BGP match access-list BGP !! could also use match protocol tcp eq bgp!policy-map global_policy class BGP set connection advanced-options BGP_FIX set connection random-sequence-number disable Regards, Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S) ---------------------------------------------------------------------------- From: Eugene Pefti <[email protected]> To: Jay McMickle <[email protected]>; Fawad Khan <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Sunday, September 2, 2012 9:03 PM Subject: RE: [OSL | CCIE_Security] BGP through ASA I may have not be very clear or eloquent asking this question. Would we be punished if add a permissive BGP traffic ACL entry on the ASA outside interface if the session establishes owing to the BGP peer that originates it from behind the ASA? Eugene From: Jay McMickle [mailto:[email protected]] Sent: Sunday, September 02, 2012 7:00 PM To: Fawad Khan Cc: Eugene Pefti; [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Just remember the keyword at the end of the ACL for BGP passing through the ASA. ;) (google that) Regards, Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote: For the exam I would do what the task say. And NOT overdo/ or over think. On Sunday, September 2, 2012, Eugene Pefti wrote: I assume it is only for the situation when you need to control outbound traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is trusted traffic per ASA security levels. Sent from iPhone On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote: The best scenario would be to have acl on both interfaces to allow communication from either side. I would Ab inbound acl on the outside interface and inside interface. On Sunday, September 2, 2012, Eugene Pefti wrote: Hello folks, I have a rhetoric question. I believe this is a classic task when BGP peers need to authenticate through the ASA but my question is not about it. One of my BGP peers is on outside of the ASA and the other is inside. The ACL on ASA doesn’t allow BGP traffic from the outside peer and I see corresponding denies when it tries to talk to the inside peer. But nothing prevents the inside peer to establish the active session with its outside peer and they successfully do it. Now the question. Would you add the ACL on the ASA outside interface to allow BGP traffic from the outside peer to the inside one or as long as they can establish the session that originates from the inside BGP peer we are OK? Eugene -- FNK, CCIE Security#35578 -- FNK, CCIE Security#35578 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com = -------------------------------------------------------------------------------- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
