Re: BGP through PIX Question

From: Kal Han (calikali2006@gmail.com)
Date: Sat Dec 09 2006 - 19:51:56 ART

• Next message: Kal Han: "Access-Lists - my most time consuming topic - Help"
• Previous message: Sean C.: "Re: Passed in Bruxelles from the first attempt !"
• Maybe in reply to: Lab Rat #109385382: "BGP through PIX Question"
• Next in thread: Petr Lapukhov: "Re: BGP through PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

how about just an access-list
---------deny tcp any any eq bgp

Thanks
Kal

On 12/9/06, Jens Petter <jenseike@start.no> wrote:
>
> Make things easy... To have ONLY the inside router initiate the BGP
> session,
> what you do is just not allow bgp trough the pix from outside.. BGP uses
> TCP
> for transport. If you don't allow bgp trough pix ( you only make a static
> translation for the bgp router peer on the inside on pix) you will force
> the
> inside to initiate... Pix will allow the reply traffic from outside BGP
> peer
> trought since pix has that is its xlate table....
>
> R1----pix---r2
>
> R1
> router bgp 1
> no synchronization
> neighbor 2.2.2.2 remote-as 2
> neighbor 2.2.2.2 ebgp-multihop 2
> neighbor 2.2.2.2 password cisco
>
> On pix, all you need is this : (use norandomseq if you are using
> password).
> If you don't allow bgp from r2 trough pix the neighbor will form with r1
> (inside) initiating
> the session.
>
> static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> norandomseq
>
> r2
> router bgp 2
> no synchronization
> neighbor 1.1.1.1 remote-as 1
> neighbor 1.1.1.1 ebgp-multihop 2
> neighbor 1.1.1.1 password cisco
>
> Mvh
> Jens Petter Eikeland
> Senior networking consultant
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Lab
> Rat #109385382
> Sent: 9. desember 2006 06:46
> To: security@groupstudy.com; ccielab@groupstudy.com; cisco@groupstudy.com
> Subject: BGP through PIX Question
>
> If I had a requirement to only allow a router inside of a PIX initiate a
> BGP
> connection to a router outside of the PIX, what could some of the
> possibilities be?
>
> I'm trying to determine where the controls should be, as well. I know
> there
> are certain things a router can do to initiate a BGP session and I know
> that
> the PIX can control who begins what, as well...
>
> So, I'm thinking one of the following:
>
> 1. Set inside router with lower BGP router-id than the outside router
> 2. Use Policy NAT on the PIX (e.g. nat (inside) 1 access-list XX)
>
> I guess from a lab perspective, I'm trying to determine the best
> practice...anyone have thoughts?
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Kal Han: "Access-Lists - my most time consuming topic - Help"
• Previous message: Sean C.: "Re: Passed in Bruxelles from the first attempt !"
• Maybe in reply to: Lab Rat #109385382: "BGP through PIX Question"
• Next in thread: Petr Lapukhov: "Re: BGP through PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART