From: Sam Lai (LaiS@transnet.com)
Date: Mon Sep 18 2006 - 19:20:00 ART
I hear ya.
I tested in my lab also and the additional static routes work like a
charm.
By the way, I found that there is another way to accomplish successful
eBGP peering without any static routes on the routers and pix. I add
loop0 and secondary ip on the routers and permitting icmp from outside
coming inside on the pix for testing.
#############################################
#PIX
ip address outside 195.1.145.1 255.255.255.0
ip address inside 10.60.0.1 255.255.255.0
static (inside,outside) 195.1.145.6 10.60.0.6
static (outside,inside) 10.60.0.5 195.1.145.5
static (inside,outside) 66.66.66.66 10.60.0.66
static (outside,inside) 55.55.55.55 195.1.145.55
access-list acl_outside permit icmp any any
access-group acl_outside in interface outside
#R5
int e0/0
ip address 195.1.145.5 255.255.255.0
ip address 195.1.145.55 255.255.255.0 sec
int loop0
ip address 55.55.55.55 255.255.255.0
!
router bgp 55
no synchronization
bgp router-id 55.55.55.55
network 55.55.55.0 mask 255.255.255.0
neighbor 195.1.145.6 remote-as 66
neighbor 195.1.145.6 ebgp-multihop
neighbor 195.1.145.6 route-map change-next-hop-IN in
no auto-summary
!
route-map change-next-hop-IN permit 10
set ip next-hop 195.1.145.6
!
#R6
int e0/0
ip address 10.60.0.6 255.255.255.0
ip address 10.60.0.66 255.255.255.0 sec
int loop0
ip address 66.66.66.66 255.255.255.0
!
router bgp 66
no synchronization
bgp router-id 66.66.66.66
network 66.66.66.0 mask 255.255.255.0
neighbor 10.60.0.5 remote-as 55
neighbor 10.60.0.5 ebgp-multihop
neighbor 10.60.0.5 route-map change-next-hop-IN in
no auto-summary
!
route-map change-next-hop-IN permit 10
set ip next-hop 10.60.0.5
!
#############################################
Any thought?
Sam
Sam Lai, CCIE CISSP
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
2nd CCIE
Sent: Monday, September 18, 2006 12:35 PM
To: Danshtr
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: BGP through pix
You are the man !
that actually was the problem .. i just had a default route (not
specific route ) to reach the ebgp multihop network
once i put the specific route to the multihop neighbor ...it worked
peacefully
NOW ...why on earth Cisco is doing that ? a default route is not
enough .??
really sux
Danshtr <danshtr@gmail.com> wrote:
From 12.2 and 12.3 configuration guide:
Router(config-router)# neighbor {ip-address | peer-group-name}
ebgp-multihop
Allows BGP sessions, even when the neighbor is not on a directly
connected segment. The multihop session is not established if the only
route to the address of the multihop peer is the default route (
0.0.0.0).
on 12.4 I couldn't find such restriction.
HTH
On 9/18/06, 2nd CCIE < doubleccie@yahoo.com> wrote: Guys
I have a confusion here
R1-----------pix>>--------R2
if i configure R1 to peer with R2 and R2 to peer with R1 using the
update-source loopback and the ebgp-multihop options ...do i still need
to allow BGP on the External ACL of the PIX ?? ...why not R1 to peer
with R2 ( not the other way around ) without enabling anything on the
PIX .
my configuration works only when i allow the bgp to pass through the
PIX via ACL from outside to inside .
is there a way to force the peering direction ?
thx
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
rates starting at 1"/min.
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART