RE: BGP through pix

From: Seffens, Danny (Danny.Seffens@bmcjax.com)
Date: Mon Sep 18 2006 - 14:02:29 ART

• Next message: Leon van Dongen: "Re: Lab date in Brussels - December"
• Previous message: Alex Hsieh: "ip redirect issue"
• Maybe in reply to: 2nd CCIE: "BGP through pix"
• Next in thread: pablo.smiraglia@verizon.com: "Re: BGP through pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you using BGP authentication? If you are, and have entered a static
on the PIX for the router that is on the inside of the PIX, then you
have to add the norandomseq keyword to the end of the static command.
This prevents the PIX from randomizing the TCP sequence number. Without
this keyword, the PIX will randomize the TCP sequence number, which
changes the MD5 hash of the BGP packet, effectively breaking BGP
authentication.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
pablo.smiraglia@verizon.com
Sent: Monday, September 18, 2006 10:48 AM
To: 2nd CCIE
Cc: ccielab@groupstudy.com; nobody@groupstudy.com;
security@groupstudy.com
Subject: Re: BGP through pix

Assuming that natting and other basic issues were taking care of (ie let

"any" inside traffic flow to "outside" as it is the default behavior).
Your configuration should be good enough for R1 to successfully start a
BGP session with R2, but not the other way around. This may be good or
desired in many cases.

My guess: just be patient and wait a couple of minutes to be sure that
R1
"tries" to start the BGP session...

HTH,
pablo.

PS: if natting is involved, you will need to deal with BGP next-hop
issues, that are unrelated to your problem at the time.

"2nd CCIE" <doubleccie@yahoo.com>
Sent by: nobody@groupstudy.com
09/18/2006 07:53 AM
Please respond to
"2nd CCIE" <doubleccie@yahoo.com>

To
ccielab@groupstudy.com, security@groupstudy.com
cc

Subject
BGP through pix

Guys
  I have a confusion here
 
  R1-----------pix>>--------R2
 
  if i configure R1 to peer with R2 and R2 to peer with R1 using the
update-source loopback and the ebgp-multihop options ...do i still need
to
allow BGP on the External ACL of the PIX ?? ...why not R1 to peer with
R2
( not the other way around ) without enabling anything on the PIX .
 
  my configuration works only when i allow the bgp to pass through the
PIX
via ACL from outside to inside .
 
  is there a way to force the peering direction ?
 
  thx

 
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
rates starting at 1"/min.

-----------------------------------------
NOTICE: This message is confidential, intended for the named
recipient(s) and may contain information that is (i) proprietary to
the sender, and/or,(ii) privileged, confidential and/or otherwise
exempt from disclosure under applicable Florida and federal law,
including, but not limited to, privacy standards imposed pursuant
to the federal Health insurance Portability and Accountability Act
of 1996 ("HIPAA"). Receipt by anyone other than the named
recipient(s) is not a waiver of any applicable privilege. Thank you
in advance for your compliance with this notice.

• Next message: Leon van Dongen: "Re: Lab date in Brussels - December"
• Previous message: Alex Hsieh: "ip redirect issue"
• Maybe in reply to: 2nd CCIE: "BGP through pix"
• Next in thread: pablo.smiraglia@verizon.com: "Re: BGP through pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART