Re: RE : PIX RIP authentication MD5

From: Larry Roberts (groupstudy@american-hero.com)
Date: Tue Dec 28 2004 - 19:46:32 GMT-3

• Next message: John Matus: "test"
• Previous message: Michael Wong: "Re: RE : PIX RIP authentication MD5"
• Maybe in reply to: Richard Dumoulin: "RE : PIX RIP authentication MD5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm not at a router right now, but your config should look something like:

key chain CCIE
  key 1
  key-string cisco ( or the encrypted version of your password )

router rip
version 2
no auto-summ
network 10.0.0.0

interface ethernet0/0
ip address 10.50.31.1 255.255.255.0
ip rip authentication key-chain CCIE
ip rip authentication mode md5

can you post your PIX configuration showing its IP's, its rip
statements, and its "show routes"

How many routes do you get when the updates are not authenticated versus
when they are authenticated?

Re-reading your original e-mail, you mentioned removing authentication
from the PIX. Did you also remove authentication from the router when
you recieved the updates, or did they come in when you just removed the
authentication from the PIX? I ask, because if removing the
authentication from the PIX only causes the routes to be installed, then
the router is not sending authenticated updates. Your debug *should*
have shown that, but it doesn't.

btw, practice lab 1 eh? I thought those IP's looked familiar :)

Michael Wong wrote:
> I turned on "debug rip" but it does not say anything about
> "authentication failed" after I did a "clear ip route *" at the router,
> see attached output. I also turned on debug ip rip events at the
> router, nothing talks about the authentication.
>
> THe order I did is mode first then key-chain. I also rebooted the
> router. The router is running 12.2-19a.
>
> Do I need to configure something under router rip? right now the only
> relevant one is the neighbor 10.50.31.2 pointing to the PIX.
>
> thanks!
> Michael
>
> 220: RIP: interface inside received v2 update from 10.10.6.1
> 221: RIP: update contains 1 routes
> 222: RIP: Advertise network 192.168.6.0 mask 255.255.255.0 gateway
> 10.10.6.1 met
> ric 1
> 223: RIP: interface outside received v2 update from 10.50.31.1
> 224: RIP: interface outside received v2 update from 10.50.31.1
> 225: RIP: interface inside sending v2 update to 224.0.0.9
> 226: RIP: interface outside received v2 update from 10.50.31.1
> 227: RIP: interface outside received v2 update from 10.50.31.1
> 228: RIP: interface inside received v2 update from 10.10.6.1
> 229: RIP: update contains 1 routes
> 230: RIP: Advertise network 192.168.6.0 mask 255.255.255.0 gateway
> 10.10.6.1 met
> ric 1
> 231: RIP: interface inside received v2 update from 10.10.6.1
> 232: RIP: update contains 1 routes
> 233: RIP: Advertise network 192.168.6.0 mask 255.255.255.0 gateway
> 10.10.6.1 met
> ric 1
> 234: RIP: interface outside received v2 update from 10.50.31.1
> 235: RIP: interface outside received v2 update from 10.50.31.1
> 236: RIP: interface inside received v2 update from 10.10.6.1
> 237: RIP: update contains 1 routes
> 238: RIP: Advertise network 192.168.6.0 mask 255.255.255.0 gateway
> 10.10.6.1 met
> ric 1
> 239: RIP: interface inside received v2 update from 10.10.6.1
> 240: RIP: update contains 1 routes
> 241: RIP: Advertise network 192.168.6.0 mask 255.255.255.0 gateway
> 10.10.6.1 met
> ric 1
> 242: RIP: interface inside sending v2 update to 224.0.0.9
>
>
>
> */Larry Roberts <groupstudy@american-hero.com>/* wrote:
>
> If you do a debug on the PIX of rip, do you see the routes coming in,
> and do you see a message about "authentication failed" ?
>
> When you added your rip configuration to E0/0, did you add the mode
> first, then the key-chain? I usually have errors unless I add mode
> first.
>
> I agree with rebooting your router and see if that helps.
>
>
>
> Richard Dumoulin wrote:
> > How do you know it is the PIX and not the router? Can you reboot
> your router
> > please, for some IOS the order to enter the rip authentication
> commands is
> > important,
> >
> > -- Richard
> >
> > -----Message d'origine-----
> > De : Michael Wong [mailto:generalccie@yahoo.com]
> > Envoyi : Tuesday, December 28, 2004 6:24 AM
> > @ : ccielab@groupstudy.com
> > Objet : PIX RIP authentication MD5
> >
> > Hi,
> >
> > I am not able to get PIX RIP authentication running using MD5.
> Without MD5,
> > the routing is fine, when I turned on MD5 using the following,
> PIX no longer
> > gets RIP routes, could you spot anything I am missing? thanks.
> >
> > on PIX:
> >
> > rip outside passive version 2 authentication md5 cisco 1
> >
> > on Router:
> > !
> > key chain r3
> > key 1
> > key-string cisco
> > !
> > interface Ethernet0/0
> > ip address 10.50.31.1 255.255.255.0
> > ip rip authentication mode md5
> > ip rip authentication key-chain r3
> > half-duplex
> > !
> >
> > thanks,
> > Michael
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail - now with 250MB free storage. Learn more.
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> **********************************************************************
> > Any opinions expressed in the email are those of the individual
> and not
> > necessarily the company. This email and any files transmitted
> with it are
> > confidential and solely for the use of the intended recipient. If
> you are not
> > the intended recipient or the person responsible for delivering
> it to the
> > intended recipient, be advised that you have received this email
> in error and
> > that any dissemination, distribution, copying or use is strictly
> prohibited.
> >
> > If you have received this email in error, or if you are concerned
> with the
> > content of this email please e-mail to: e-security.support@vanco.info
> >
> > The contents of an attachment to this e-mail may contain software
> viruses
> > which could damage your own computer system. While the sender has
> taken every
> > reasonable precaution to minimise this risk, we cannot accept
> liability for
> > any damage which you sustain as a result of software viruses. You
> should carry
> > out your own virus checks before opening any attachments to this
> e-mail.
> >
> **********************************************************************
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> --
> Thanks,
>
> Larry
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail - Find what you need with new enhanced search. Learn more.
> <http://us.rd.yahoo.com/evt=29917/*http://info.mail.yahoo.com/mail_250>

-- 
Thanks,
Larry

• Next message: John Matus: "test"
• Previous message: Michael Wong: "Re: RE : PIX RIP authentication MD5"
• Maybe in reply to: Richard Dumoulin: "RE : PIX RIP authentication MD5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:31 GMT-3