RE: BGP session establishment through Firewall

From: Raymond Jett \(rajett\) (rajett@cisco.com)
Date: Mon Jun 09 2003 - 12:27:23 GMT-3


Use Statics and do a "norandseq" on the line to turn of the PIX doing the
re-randomization of the sequence numbers to do the BGP through the firewall.

Somewhere I have a config on this.

Raymond

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Friday, June 06, 2003 4:40 PM
To: 'ccielab@groupstudy.com'; 'security@groupstudy.com'
Subject: BGP session establishment through Firewall

R1------(in)PIX(out)-----R2
FW does PAT for inside network to outside

Both peers trying to establish BGP via TCP 179.
FW blocks TCP 179 in one way (from outside to inside, because no transl slot
exist and no access-list conduit) however neighboring is established via
another way session (from inside to
outside) only.
So, it's enough one way TCP - no necessity to open TCP 179 from outside to
inside. Is it right ?? Is there any rule - which session allowed to
establish neighboring
(like, I don't know, from higher BGP identifier to lower or something like
that) ?

Dmitry



This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:55 GMT-3