From: Thomas Larus (tlarus@cox.net)
Date: Sat Jun 07 2003 - 22:45:17 GMT-3
So I guess that means that the access-list on a router set up as a firewall
needs only one line for BGP.
ip access-list extended inboundfilter
permit tcp any any eq 179
or permit tcp any eq 179 any
but not both. Is that right?
I am working on a lab scenario I have cooked up where I have a firewall
router that peers with a backbone router, and does BGP peering with that
backbone router. I am doing NAT on the same firewall router and using
reflexive access-lists on it.
The funny thing is that a reflexive access-list example in the pertinent IOS
12.2 config guide shows an access-list statement like "permit bgp any any."
But BGP is not a separate protocol like TCP or UDP or ICMP, so it makes
sense that this is not an option on my router. Was this ever an option? I
guess it must have been, for Cisco to put it is in a config guide.
It's late. I hope I am not missing something important here.
Tom Larus, CCIE #10,014
----- Original Message -----
From: "Volkov, Dmitry (IDS Canada)" <dmitry_volkov@ca.ml.com>
To: <ccielab@groupstudy.com>; <security@groupstudy.com>
Sent: Friday, June 06, 2003 5:40 PM
Subject: BGP session establishment through Firewall
> R1------(in)PIX(out)-----R2
> FW does PAT for inside network to outside
>
> Both peers trying to establish BGP via TCP 179.
> FW blocks TCP 179 in one way (from outside to inside, because no transl
slot
> exist and no access-list conduit)
> however neighboring is established via another way session (from inside to
> outside) only.
> So, it's enough one way TCP - no necessity to open TCP 179 from outside to
> inside.
> Is it right ?? Is there any rule - which session allowed to establish
> neighboring
> (like, I don't know, from higher BGP identifier to lower or something like
> that) ?
>
>
> Dmitry
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:54 GMT-3