Taking a stab...I think you would have to disable the TCP Sequence number randomization on the Cisco ASA Firewall as this is involved in BGP Auth (not 100% sure) :)
On Wed, May 1, 2013 at 10:07 PM, Mike Rojas <[email protected]> wrote: > Hi, > > I am having troubles with BGP passing through with authentication. I > configured the routers as follow (Since the Initial configs are not ready, > but based on the exercise you kind of know where it is going :)) > > R1 > router bgp 14 > no synchronization > bgp log-neighbor-changes > network 11.11.11.0 > neighbor 200.100.34.254 remote-as 14 > neighbor 200.100.34.254 password cisco > no auto-summary > > R4 > router bgp 14 > no synchronization > bgp log-neighbor-changes > network 4.4.4.4 > neighbor 200.100.34.1 remote-as 14 > neighbor 200.100.34.1 password cisco > no auto-summary > > Now, in order to allow this across the ASA, I configured the following: > > access-list BGP extended permit tcp any host 192.168.103.1 eq bgp > access-list BGP extended permit tcp host 192.168.103.1 any eq bgp > > tcp-map BGP > tcp-options range 19 19 allow > > policy-map global_policy > class BGP > set connection random-sequence-number disable > set connection advanced-options BGP > > If I do the show service-policy flow: > > ASA003(config)# sh service-policy flow tcp host 200.100.34.254 host > 192.168.103.1 eq 179 > > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: access-list BGP > Access rule: permit tcp any host 192.168.103.1 eq bgp > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options BGP > Class-map: class-default > Match: any > Action: > Output flow: > Interface outside: > Service-policy: outside > Class-map: IPS > Match: access-list IPS > Access rule: permit ip any any > Action: > Input flow: ips inline fail-open > Class-map: class-default > Match: any > Action: > > Here is the NAT: > > NAT from inside:192.168.103.1 to outside:200.100.34.1 > flags s idle 0:00:23 timeout 0:00:00 > > However, the connection always stays like this: > > TCP outside 200.100.34.254:52812 inside 192.168.103.1:179, idle > 0:00:00, bytes 0, flags SaAB > > I took captures on the ASA and I am able to see that the Option 19 is > passing correctly, but on the Router 1 I only see: > *May 2 02:04:16.383: %TCP-6-BADAUTH: Invalid MD5 digest from > 200.100.34.254(55025) to 192.168.103.1(179) > > If I remove authentication, the Adjacency comes up instantly. I reloaded > the routers just in case. No go. > > Any help would be appreciated. > > Mike. > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
