RE: BGP through PIX Question

From: Jens Petter (jenseike@start.no)
Date: Sat Dec 09 2006 - 05:56:51 ART

• Next message: PhiL: "Re: R & S or Security"
• Previous message: Marcus Lasarko: "Re: ARP Scenario Question"
• Maybe in reply to: Lab Rat #109385382: "BGP through PIX Question"
• Next in thread: Kal Han: "Re: BGP through PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Make things easy... To have ONLY the inside router initiate the BGP session,
what you do is just not allow bgp trough the pix from outside.. BGP uses TCP
for transport. If you don't allow bgp trough pix ( you only make a static
translation for the bgp router peer on the inside on pix) you will force the
inside to initiate... Pix will allow the reply traffic from outside BGP peer
trought since pix has that is its xlate table....

R1----pix---r2

R1
router bgp 1
 no synchronization
 neighbor 2.2.2.2 remote-as 2
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 password cisco

On pix, all you need is this : (use norandomseq if you are using password).
If you don't allow bgp from r2 trough pix the neighbor will form with r1
(inside) initiating
the session.

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
norandomseq

r2
router bgp 2
 no synchronization
 neighbor 1.1.1.1 remote-as 1
 neighbor 1.1.1.1 ebgp-multihop 2
 neighbor 1.1.1.1 password cisco

Mvh
Jens Petter Eikeland
Senior networking consultant

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lab
Rat #109385382
Sent: 9. desember 2006 06:46
To: security@groupstudy.com; ccielab@groupstudy.com; cisco@groupstudy.com
Subject: BGP through PIX Question

If I had a requirement to only allow a router inside of a PIX initiate a BGP
connection to a router outside of the PIX, what could some of the
possibilities be?

I'm trying to determine where the controls should be, as well. I know there
are certain things a router can do to initiate a BGP session and I know that
the PIX can control who begins what, as well...

So, I'm thinking one of the following:

1. Set inside router with lower BGP router-id than the outside router
2. Use Policy NAT on the PIX (e.g. nat (inside) 1 access-list XX)

I guess from a lab perspective, I'm trying to determine the best
practice...anyone have thoughts?

Thanks,

Ed

• Next message: PhiL: "Re: R & S or Security"
• Previous message: Marcus Lasarko: "Re: ARP Scenario Question"
• Maybe in reply to: Lab Rat #109385382: "BGP through PIX Question"
• Next in thread: Kal Han: "Re: BGP through PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART