From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Mon Dec 11 2006 - 10:56:47 ART
My best loved part with BGP trough PIX is something like that:
R1-----PIX------R2
Reer R1 and R2 over BGP using loopback as sources. Do not let R2 initiate
the
connection. R1 has only the default route to PIX in it's routing table. Only
one
static NAT entry for R1 is allowed on PIX.
Oh yeah, dont forget to authenticate this session, of course :)
2006/12/10, Kal Han <calikali2006@gmail.com>:
>
> how about just an access-list
> ---------deny tcp any any eq bgp
>
> Thanks
> Kal
>
>
> On 12/9/06, Jens Petter <jenseike@start.no> wrote:
> >
> > Make things easy... To have ONLY the inside router initiate the BGP
> > session,
> > what you do is just not allow bgp trough the pix from outside.. BGP uses
> > TCP
> > for transport. If you don't allow bgp trough pix ( you only make a
> static
> > translation for the bgp router peer on the inside on pix) you will force
> > the
> > inside to initiate... Pix will allow the reply traffic from outside BGP
> > peer
> > trought since pix has that is its xlate table....
> >
> > R1----pix---r2
> >
> > R1
> > router bgp 1
> > no synchronization
> > neighbor 2.2.2.2 remote-as 2
> > neighbor 2.2.2.2 ebgp-multihop 2
> > neighbor 2.2.2.2 password cisco
> >
> > On pix, all you need is this : (use norandomseq if you are using
> > password).
> > If you don't allow bgp from r2 trough pix the neighbor will form with r1
> > (inside) initiating
> > the session.
> >
> > static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> > norandomseq
> >
> > r2
> > router bgp 2
> > no synchronization
> > neighbor 1.1.1.1 remote-as 1
> > neighbor 1.1.1.1 ebgp-multihop 2
> > neighbor 1.1.1.1 password cisco
> >
> > Mvh
> > Jens Petter Eikeland
> > Senior networking consultant
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Lab
> > Rat #109385382
> > Sent: 9. desember 2006 06:46
> > To: security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> > Subject: BGP through PIX Question
> >
> > If I had a requirement to only allow a router inside of a PIX initiate a
> > BGP
> > connection to a router outside of the PIX, what could some of the
> > possibilities be?
> >
> > I'm trying to determine where the controls should be, as well. I know
> > there
> > are certain things a router can do to initiate a BGP session and I know
> > that
> > the PIX can control who begins what, as well...
> >
> > So, I'm thinking one of the following:
> >
> > 1. Set inside router with lower BGP router-id than the outside router
> > 2. Use Policy NAT on the PIX (e.g. nat (inside) 1 access-list XX)
> >
> > I guess from a lab perspective, I'm trying to determine the best
> > practice...anyone have thoughts?
> >
> > Thanks,
> >
> > Ed
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART