Re: [OSL | CCIE_Security] ASA BGP Auth Passing through

[Mike Rojas]

Jay and Jason, 

Thanks for the help. On the class map I had the ACL... as you can see on the 
show service-policy flow

   Class-map: BGP
      Match: access-list BGP
        Access rule: permit tcp any host 192.168.103.1 eq bgp

It does match bgp with the Address there. 

I did the NAT rule bypassing NAT, change the Neighbor to the private IP and it 
worked like a charm 

*May  3 00:39:58.734: %BGP-5-ADJCHANGE: neighbor 200.100.34.254 Up

Thanks for the Help. 

Mike. 



Date: Wed, 1 May 2013 21:37:21 -0700
From: jay.mcmic...@yahoo.com
Subject: Re: [OSL | CCIE_Security] ASA BGP Auth Passing through
To: mike_c...@hotmail.com; madsen.ja...@gmail.com
CC: ccie_security@onlinestudylist.com

I've never ran across this, but interesting in fact. What I remember (from a 
non-nat situation), and what you didn't put below, is the class-map. What does 
your class-map have in it?  The service-policy looks like you are calling an 
ACL. What if you were to get less restrictive with your ACL, and remove the 
possibility of an ASA 8.4+ NAT issue, and use a different class map?  This 
would remove the host restriction and just check on the BGP port. class-map BGP 
match port tcp eq bgp The rest is the same. Let us hear
 back.  Regards,Jay McMickle- 2x CCIE #35355 (R&S,Sec)
 
        From: Mike Rojas <mike_c...@hotmail.com>
 To: Jason Madsen <madsen.ja...@gmail.com> 
Cc: "ccie_security@onlinestudylist.com" <ccie_security@onlinestudylist.com> 
 Sent: Wednesday, May 1, 2013 11:05 PM
 Subject: Re: [OSL | CCIE_Security] ASA BGP Auth Passing through
   
That's the issue. I remember i had to put a Nat0 on the old v3 lab.. Ill 
configure a manual NAT tomorrow on my lab and test out. Pretty much I think 
thats the issue.

Sent from my iPhone
On May 1, 2013, at 9:31 PM, "Jason Madsen" <madsen.ja...@gmail.com> wrote:

Hi Mike,
I don't believe you can use NAT here as the BGP source address is built into 
the MD5
 hash. 

Jason

On Wed, May 1, 2013 at 9:07 PM, Mike Rojas <mike_c...@hotmail.com> wrote:




Hi, 

I am having troubles with BGP passing through with authentication. I configured 
the routers as follow (Since the Initial configs are not ready, but based on 
the exercise you kind of know where it is going :)) 


R1 
router bgp 14
 no synchronization
 bgp log-neighbor-changes
 network 11.11.11.0
 neighbor 200.100.34.254 remote-as 14
 neighbor 200.100.34.254 password cisco
 no auto-summary

R4
router bgp 14

 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4
 neighbor 200.100.34.1 remote-as 14
 neighbor 200.100.34.1 password cisco
 no auto-summary

Now, in order to allow this across the ASA, I configured the following: 


access-list BGP extended permit tcp any host 192.168.103.1 eq bgp
access-list BGP extended permit tcp host 192.168.103.1 any eq bgp

tcp-map BGP
  tcp-options range 19 19 allow

policy-map global_policy

    class BGP
       set connection random-sequence-number disable
          set connection advanced-options BGP

If I do the show service-policy flow: 

ASA003(config)# sh service-policy flow tcp host 200.100.34.254 host 
192.168.103.1 eq 179


Global policy:
  Service-policy: global_policy
    Class-map: BGP
      Match: access-list BGP
        Access rule: permit tcp any host 192.168.103.1 eq bgp
      Action:
        Input flow:  set connection random-sequence-number disable

  set connection advanced-options BGP
    Class-map: class-default
      Match: any
      Action:
        Output flow:
Interface outside:
  Service-policy: outside
    Class-map: IPS
      Match: access-list IPS

        Access rule: permit ip any any
      Action:
        Input flow:  ips inline fail-open
    Class-map: class-default
      Match: any
      Action:

Here is the NAT: 

NAT from inside:192.168.103.1 to outside:200.100.34.1

    flags s idle 0:00:23 timeout 0:00:00

However, the connection always stays like this: 

TCP outside  200.100.34.254:52812 inside  192.168.103.1:179, idle 0:00:00, 
bytes 0, flags SaAB


I took captures on the ASA and I am able to see that the Option 19 is passing 
correctly, but on the Router 1 I only see: 
*May  2 02:04:16.383: %TCP-6-BADAUTH: Invalid MD5 digest from 
200.100.34.254(55025) to 192.168.103.1(179)


If I remove authentication, the Adjacency comes up instantly. I reloaded the 
routers just in case. No go. 

Any help would be appreciated. 

Mike. 

                                          


_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
http://www.ipexpert.com/



Are you a CCNP or CCIE and looking for a job? Check out 
http://www.platinumplacement.com/



_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com