From: Marcus Lasarko (mlasarko@co.ba.md.us)
Date: Sat Dec 09 2006 - 03:38:17 ART
I do see your point about the router ID.
(To prefer the route from the BGP router with the lowest routerID)
That may not have occurred to me :)
The NAT is pretty straight-forward, but you'll likely want to use a password so just watch if you are using md5 auth, "norandomseq". Note: Only useful on your inside translation IIRC.
Maybe something odd on the router-sides like "check-ispa-route"
Confirmation of permanent routes between hosts (statics, obviously, don't leave it up to something learned dynamically IMO).
Possibly defining source interfaces and other neighbor features depending on the topology.
Remembering that the lab is not about "best practice", it just requires a lot of practice :)
Wondering if there is anything *special* about IPv6 through a PIX/ASA/FWSM now... ~M
>>> "Lab Rat #109385382" <techlist01@gmail.com> 12/09/06 12:46 AM >>>
If I had a requirement to only allow a router inside of a PIX initiate a BGP
connection to a router outside of the PIX, what could some of the
possibilities be?
I'm trying to determine where the controls should be, as well. I know there
are certain things a router can do to initiate a BGP session and I know that
the PIX can control who begins what, as well...
So, I'm thinking one of the following:
1. Set inside router with lower BGP router-id than the outside router
2. Use Policy NAT on the PIX (e.g. nat (inside) 1 access-list XX)
I guess from a lab perspective, I'm trying to determine the best
practice...anyone have thoughts?
Thanks,
Ed
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART