Jay and Jason,
Thanks for the help. On the class map I had the ACL... as you can see on the
show service-policy flow
Class-map: BGP
Match: access-list BGP
Access rule: permit tcp any host 192.168.103.1 eq bgp
It does match bgp with the Address there.
I did the NAT rule bypassing NAT, change the Neighbor to the private IP and it
worked like a charm
*May 3 00:39:58.734: %BGP-5-ADJCHANGE: neighbor 200.100.34.254 Up
Thanks for the Help.
Mike.
Date: Wed, 1 May 2013 21:37:21 -0700
From: [email protected]
Subject: Re: [OSL | CCIE_Security] ASA BGP Auth Passing through
To: [email protected]; [email protected]
CC: [email protected]
I've never ran across this, but interesting in fact. What I remember (from a
non-nat situation), and what you didn't put below, is the class-map. What does
your class-map have in it? The service-policy looks like you are calling an
ACL. What if you were to get less restrictive with your ACL, and remove the
possibility of an ASA 8.4+ NAT issue, and use a different class map? This
would remove the host restriction and just check on the BGP port. class-map BGP
match port tcp eq bgp The rest is the same. Let us hear
back. Regards,Jay McMickle- 2x CCIE #35355 (R&S,Sec)
From: Mike Rojas <[email protected]>
To: Jason Madsen <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Wednesday, May 1, 2013 11:05 PM
Subject: Re: [OSL | CCIE_Security] ASA BGP Auth Passing through
That's the issue. I remember i had to put a Nat0 on the old v3 lab.. Ill
configure a manual NAT tomorrow on my lab and test out. Pretty much I think
thats the issue.
Sent from my iPhone
On May 1, 2013, at 9:31 PM, "Jason Madsen" <[email protected]> wrote:
Hi Mike,
I don't believe you can use NAT here as the BGP source address is built into
the MD5
hash.
Jason
On Wed, May 1, 2013 at 9:07 PM, Mike Rojas <[email protected]> wrote:
Hi,
I am having troubles with BGP passing through with authentication. I configured
the routers as follow (Since the Initial configs are not ready, but based on
the exercise you kind of know where it is going :))
R1
router bgp 14
no synchronization
bgp log-neighbor-changes
network 11.11.11.0
neighbor 200.100.34.254 remote-as 14
neighbor 200.100.34.254 password cisco
no auto-summary
R4
router bgp 14
no synchronization
bgp log-neighbor-changes
network 4.4.4.4
neighbor 200.100.34.1 remote-as 14
neighbor 200.100.34.1 password cisco
no auto-summary
Now, in order to allow this across the ASA, I configured the following:
access-list BGP extended permit tcp any host 192.168.103.1 eq bgp
access-list BGP extended permit tcp host 192.168.103.1 any eq bgp
tcp-map BGP
tcp-options range 19 19 allow
policy-map global_policy
class BGP
set connection random-sequence-number disable
set connection advanced-options BGP
If I do the show service-policy flow:
ASA003(config)# sh service-policy flow tcp host 200.100.34.254 host
192.168.103.1 eq 179
Global policy:
Service-policy: global_policy
Class-map: BGP
Match: access-list BGP
Access rule: permit tcp any host 192.168.103.1 eq bgp
Action:
Input flow: set connection random-sequence-number disable
set connection advanced-options BGP
Class-map: class-default
Match: any
Action:
Output flow:
Interface outside:
Service-policy: outside
Class-map: IPS
Match: access-list IPS
Access rule: permit ip any any
Action:
Input flow: ips inline fail-open
Class-map: class-default
Match: any
Action:
Here is the NAT:
NAT from inside:192.168.103.1 to outside:200.100.34.1
flags s idle 0:00:23 timeout 0:00:00
However, the connection always stays like this:
TCP outside 200.100.34.254:52812 inside 192.168.103.1:179, idle 0:00:00,
bytes 0, flags SaAB
I took captures on the ASA and I am able to see that the Option 19 is passing
correctly, but on the Router 1 I only see:
*May 2 02:04:16.383: %TCP-6-BADAUTH: Invalid MD5 digest from
200.100.34.254(55025) to 192.168.103.1(179)
If I remove authentication, the Adjacency comes up instantly. I reloaded the
routers just in case. No go.
Any help would be appreciated.
Mike.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
http://www.ipexpert.com/
Are you a CCNP or CCIE and looking for a job? Check out
http://www.platinumplacement.com/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com