Re: IBGP authenticaiton through the PIX problem

From: Stefan Grey (examplebrain@hotmail.com)
Date: Sat Aug 19 2006 - 13:33:19 ART

Sorry, thanks. I tried clear xlate but it also doesn't help.
Please try to answer ASAP so that I can send you other necessary info if
needed. Thanks again.

The config of the devices is as below:

R1fa0/1 - (inside) PIX (outside) - R2.

R1 and R2 are in AS2.

hostname R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback5
ip address 34.34.34.34 255.255.255.0
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
router bgp 102
no synchronization
bgp log-neighbor-changes
network 34.34.34.0 mask 255.255.255.0
neighbor 10.1.1.2 remote-as 102
neighbor 10.1.1.2 password cisco
no auto-summary
!
ip classless
ip route 20.1.24.2 255.255.255.255 10.1.1.254
!

hostname R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 20.1.24.2 255.255.255.0
duplex auto
speed auto
!
router bgp 102
no synchronization
neighbor 10.1.1.1 remote-as 102
neighbor 10.1.1.1 password cisco
no auto-summary
!
ip classless
ip route 10.1.1.1 255.255.255.255 20.1.24.254
!
!

PIX:

interface ethernet0 auto
interface ethernet0 vlan3 physical
interface ethernet0 vlan6 logical
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif vlan6 dmz6 security60
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
access-list OUTSIDE permit icmp host 20.1.24.4 host 10.1.1.1
access-list OUTSIDE permit icmp any any
access-list OUTSIDE permit tcp host 20.1.24.2 host 10.1.1.1 eq bgp
access-list OUTSIDE permit tcp host 20.1.24.4 host 10.1.1.1 eq bgp
access-list OUTSIDE permit tcp any any eq bgp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
ip address outside 20.1.24.254 255.255.255.0
ip address inside 10.1.1.254 255.255.255.0
ip address dmz1 10.1.2.254 255.255.255.0
no ip address intf3
ip address dmz6 1.1.6.50 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address dmz6
pdm history enable
arp timeout 14400
static (outside,inside) 10.1.1.11 20.1.24.4 netmask 255.255.255.255 0 0
static (inside,outside) 150.100.1.125 150.100.1.125 netmask 255.255.255.255
0 0
static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0
norandomseq
static (outside,inside) 10.1.1.2 20.1.24.2 netmask 255.255.255.255 0 0
norandomseq
access-group OUTSIDE in interface outside
router ospf 1
  network 20.1.2.0 255.255.255.0 area 1
  router-id 9.9.9.9
  log-adj-changes
route inside 150.100.1.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0

20.1.24.2(179)
*Aug 19 20:31:19.046: %TCP-6-BADAUTH: Invalid MD5 digest from
10.1.1.1(34278) to 20.1.24.2(179)
*Aug 19 20:31:23.046: %TCP-6-BADAUTH: Invalid MD5 digest from
10.1.1.1(34278) to 20.1.24.2(179)
*Aug 19 20:31:31.046: %TCP-6-BADAUTH: Invalid MD5 digest from
10.1.1.1(34278) to 20.1.24.2(179)
*Aug 19 20:32:19.478: %TCP-6-BADAUTH: Invalid MD5 digest from
10.1.1.1(65137) to 20.1.24.2(179)
*Aug 19 20:32:21.474: %TCP-6-BADAUTH: Invalid MD5 digest from
10.1.1.1(65137) to 20.1.24.2(179)

>From: "Richard L. Pickard" <richardlpickard@hotmail.com>
>To: "Stefan Grey" <examplebrain@hotmail.com>
>Subject: Re: IBGP authenticaiton through the PIX problem
>Date: Sat, 19 Aug 2006 11:00:23 -0500
>
>
>Stefan, Please send over your config from both routers & your PIX
>I have asked you to send config's before & did not hear back from you
>
>Have you tryed the "clear x" command on the PIX ?
>
>Richard
>CCIE | NNCSE
>
>//
>
>----- Original Message ----- From: "Stefan Grey" <examplebrain@hotmail.com>
>To: <ccielab@groupstudy.com>
>Sent: Saturday, August 19, 2006 10:54 AM
>Subject: IBGP authenticaiton through the PIX problem
>
>
>>Hello did anybody manage to configure the IBGP relationtip between the
>>routers separated by the PIX??
>>
>>R1 - PIX - R2. Well if R1 and R2 are in different AS than there is a
>>simple solution of adding norandomseq to all static translations. But if
>>R1 and R2 are in one AS ... withouth the authentication the neighborship
>>is established but with authentication I can't make it working. (Always
>>appear the messages that the MD5 authentication is invalid and no password
>>is received).
>>
>>I added norandomseq to the static translation of R1 address (which is
>>inside the PIX). Nothing helps.
>>
>>Did anybody once maked it working?? Does anybody have the idea what is
>>wrong. I have seen this problem already many time nad just have no idea
>>how to establish the relationtip inside one AS.
>>
>>Thank you very much for help.
>>
>>_________________________________________________________________
>>Find accommodation FAST with MSN Search! http://search.msn.ie/
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART