Re: IBGP authenticaiton through the PIX problem

From: Stefan Grey (examplebrain@hotmail.com)
Date: Sat Aug 19 2006 - 17:42:33 ART

• Next message: postmaster@traknet.com: "Delivery Status Notification (Failure)"
• Previous message: Stefan Grey: "Re: IBGP authenticaiton through the PIX problem"
• Maybe in reply to: Stefan Grey: "IBGP authenticaiton through the PIX problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From: "Richard L. Pickard" <richardlpickard@hotmail.com>
>To: "Stefan Grey" <examplebrain@hotmail.com>
>Subject: Re: IBGP authenticaiton through the PIX problem
>Date: Sat, 19 Aug 2006 14:41:43 -0500
>
>
>
>okay - tell me what these are for :
>
>static (outside,inside) 10.1.1.11 20.1.24.4 netmask 255.255.255.255 0 0
>static (outside,inside) 10.1.1.2 20.1.24.2 netmask 255.255.255.255 0 0
>norandomseq
>
>take both of them out, do a clear x & a clear a & tell me what happens
>
>R
>
>
>
>
>
>----- Original Message ----- From: "Stefan Grey" <examplebrain@hotmail.com>
>To: <richardlpickard@hotmail.com>; <ccielab@groupstudy.com>
>Sent: Saturday, August 19, 2006 11:33 AM
>Subject: Re: IBGP authenticaiton through the PIX problem
>
>
>>Sorry, thanks. I tried clear xlate but it also doesn't help.
>>Please try to answer ASAP so that I can send you other necessary info if
>>needed. Thanks again.
>>
>>
>>The config of the devices is as below:
>>
>>R1fa0/1 - (inside) PIX (outside) - R2.
>>
>>R1 and R2 are in AS2.
>>
>>
>>hostname R1
>>!
>>interface Loopback0
>>ip address 1.1.1.1 255.255.255.0
>>!
>>interface Loopback5
>>ip address 34.34.34.34 255.255.255.0
>>!
>>interface FastEthernet0/1
>>ip address 10.1.1.1 255.255.255.0
>>duplex auto
>>speed auto
>>!
>>router bgp 102
>>no synchronization
>>bgp log-neighbor-changes
>>network 34.34.34.0 mask 255.255.255.0
>>neighbor 10.1.1.2 remote-as 102
>>neighbor 10.1.1.2 password cisco
>>no auto-summary
>>!
>>ip classless
>>ip route 20.1.24.2 255.255.255.255 10.1.1.254
>>!
>>
>>hostname R2
>>!
>>interface Loopback0
>>ip address 2.2.2.2 255.255.255.0
>>!
>>interface FastEthernet0/0
>>ip address 20.1.24.2 255.255.255.0
>>duplex auto
>>speed auto
>>!
>>router bgp 102
>>no synchronization
>>neighbor 10.1.1.1 remote-as 102
>>neighbor 10.1.1.1 password cisco
>>no auto-summary
>>!
>>ip classless
>>ip route 10.1.1.1 255.255.255.255 20.1.24.254
>>!
>>!
>>
>>
>>PIX:
>>
>>interface ethernet0 auto
>>interface ethernet0 vlan3 physical
>>interface ethernet0 vlan6 logical
>>interface ethernet1 auto
>>interface ethernet2 auto
>>interface ethernet3 auto shutdown
>>nameif ethernet0 outside security0
>>nameif ethernet1 inside security100
>>nameif ethernet2 dmz1 security50
>>nameif ethernet3 intf3 security6
>>nameif vlan6 dmz6 security60
>>enable password 8Ry2YjIyt7RRXU24 encrypted
>>passwd 2KFQnbNIdI.2KYOU encrypted
>>hostname PIX
>>access-list OUTSIDE permit icmp host 20.1.24.4 host 10.1.1.1
>>access-list OUTSIDE permit icmp any any
>>access-list OUTSIDE permit tcp host 20.1.24.2 host 10.1.1.1 eq bgp
>>access-list OUTSIDE permit tcp host 20.1.24.4 host 10.1.1.1 eq bgp
>>access-list OUTSIDE permit tcp any any eq bgp
>>pager lines 24
>>mtu outside 1500
>>mtu inside 1500
>>mtu dmz1 1500
>>mtu intf3 1500
>>ip address outside 20.1.24.254 255.255.255.0
>>ip address inside 10.1.1.254 255.255.255.0
>>ip address dmz1 10.1.2.254 255.255.255.0
>>no ip address intf3
>>ip address dmz6 1.1.6.50 255.0.0.0
>>ip audit info action alarm
>>ip audit attack action alarm
>>no failover
>>failover timeout 0:00:00
>>failover poll 15
>>no failover ip address outside
>>no failover ip address inside
>>no failover ip address dmz1
>>no failover ip address intf3
>>no failover ip address dmz6
>>pdm history enable
>>arp timeout 14400
>>static (outside,inside) 10.1.1.11 20.1.24.4 netmask 255.255.255.255 0 0
>>static (inside,outside) 150.100.1.125 150.100.1.125 netmask
>>255.255.255.255 0 0
>>static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0
>>norandomseq
>>static (outside,inside) 10.1.1.2 20.1.24.2 netmask 255.255.255.255 0 0
>>norandomseq
>>access-group OUTSIDE in interface outside
>>router ospf 1
>> network 20.1.2.0 255.255.255.0 area 1
>> router-id 9.9.9.9
>> log-adj-changes
>>route inside 150.100.1.0 255.255.255.0 10.1.1.1 1
>>timeout xlate 3:00:00
>>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
>>1:00:00
>>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>>timeout uauth 0:05:00 absolute
>>aaa-server TACACS+ protocol tacacs+
>>aaa-server TACACS+ max-failed-attempts 3
>>aaa-server TACACS+ deadtime 10
>>aaa-server RADIUS protocol radius
>>aaa-server RADIUS max-failed-attempts 3
>>aaa-server RADIUS deadtime 10
>>aaa-server LOCAL protocol local
>>no snmp-server location
>>no snmp-server contact
>>snmp-server community public
>>no snmp-server enable traps
>>floodguard enable
>>telnet timeout 5
>>ssh timeout 5
>>console timeout 0
>>
>>
>>20.1.24.2(179)
>>*Aug 19 20:31:19.046: %TCP-6-BADAUTH: Invalid MD5 digest from
>>10.1.1.1(34278) to 20.1.24.2(179)
>>*Aug 19 20:31:23.046: %TCP-6-BADAUTH: Invalid MD5 digest from
>>10.1.1.1(34278) to 20.1.24.2(179)
>>*Aug 19 20:31:31.046: %TCP-6-BADAUTH: Invalid MD5 digest from
>>10.1.1.1(34278) to 20.1.24.2(179)
>>*Aug 19 20:32:19.478: %TCP-6-BADAUTH: Invalid MD5 digest from
>>10.1.1.1(65137) to 20.1.24.2(179)
>>*Aug 19 20:32:21.474: %TCP-6-BADAUTH: Invalid MD5 digest from
>>10.1.1.1(65137) to 20.1.24.2(179)
>>
>>>From: "Richard L. Pickard" <richardlpickard@hotmail.com>
>>>To: "Stefan Grey" <examplebrain@hotmail.com>
>>>Subject: Re: IBGP authenticaiton through the PIX problem
>>>Date: Sat, 19 Aug 2006 11:00:23 -0500
>>>
>>>
>>>Stefan, Please send over your config from both routers & your PIX
>>>I have asked you to send config's before & did not hear back from you
>>>
>>>Have you tryed the "clear x" command on the PIX ?
>>>
>>>Richard
>>>CCIE | NNCSE
>>>
>>>//
>>>
>>>----- Original Message ----- From: "Stefan Grey"
>>><examplebrain@hotmail.com>
>>>To: <ccielab@groupstudy.com>
>>>Sent: Saturday, August 19, 2006 10:54 AM
>>>Subject: IBGP authenticaiton through the PIX problem
>>>
>>>
>>>>Hello did anybody manage to configure the IBGP relationtip between the
>>>>routers separated by the PIX??
>>>>
>>>>R1 - PIX - R2. Well if R1 and R2 are in different AS than there is a
>>>>simple solution of adding norandomseq to all static translations. But if
>>>>R1 and R2 are in one AS ... withouth the authentication the neighborship
>>>>is established but with authentication I can't make it working. (Always
>>>>appear the messages that the MD5 authentication is invalid and no
>>>>password is received).
>>>>
>>>>I added norandomseq to the static translation of R1 address (which is
>>>>inside the PIX). Nothing helps.
>>>>
>>>>Did anybody once maked it working?? Does anybody have the idea what is
>>>>wrong. I have seen this problem already many time nad just have no idea
>>>>how to establish the relationtip inside one AS.
>>>>
>>>>Thank you very much for help.
>>>>
>>>>_________________________________________________________________
>>>>Find accommodation FAST with MSN Search! http://search.msn.ie/
>>>>
>>>>_______________________________________________________________________
>>>>Subscription information may be found at:
>>>>http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
>>
>>_________________________________________________________________
>>Find accommodation FAST with MSN Search! http://search.msn.ie/
>>
>>
>

• Next message: postmaster@traknet.com: "Delivery Status Notification (Failure)"
• Previous message: Stefan Grey: "Re: IBGP authenticaiton through the PIX problem"
• Maybe in reply to: Stefan Grey: "IBGP authenticaiton through the PIX problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART