RE: BGP through PIX Question

From: Jens Petter (jenseike@start.no)
Date: Tue Dec 12 2006 - 01:41:17 ART

In stead of guessing, try lab it up and see what is working or not...'
This is not a guessing game

 
Mvh
Jens Petter Eikeland
Mob 98247550
Hipercom AS
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ross
Filipek
Sent: 12. desember 2006 00:19
To: Petr Lapukhov
Cc: security@groupstudy.com; ccielab@groupstudy.com; cisco@groupstudy.com
Subject: Re: BGP through PIX Question

Local policy route that sets the next hop toward the peer?

Ross Filipek
PGP Key: http://wwwkeys.eu.pgp.net

On Dec 11, 2006, at 11:17 AM, Petr Lapukhov wrote:

> There is a tricky way to initate multihop BGP connection WITHOUT
> using a
> specific
> static route :) Try to figure it out, it's not very complex, though
> definitely "twisted" :)
>
> 2006/12/11, Jens Petter <jenseike@start.no>:
>>
>> Well, that is exactly what I said... But you will NOT get BGP to
>> peer with
>> a
>> default route over the pix. . You will need
>> a static route on r1 and on outside routers to peer this.. You can of
>> course
>> also use dynamic routes but since this is between
>> two bgp AS you probably would use statics
>>
>>
>>
>> This is what the debug would show on r1 if you use default route :
>>
>>
>>
>> BGP: 2.2.2.2 open active, delay 9568ms
>>
>> BGP: 2.2.2.2 multihop open delayed 19872ms (no route)
>>
>> BGP: 2.2.2.2 multihop open delayed 12784ms (no route)
>>
>>
>>
>> BGP: 3.3.3.3 open active, delay 9568ms
>>
>> BGP: 3.3.3.3 multihop open delayed 19872ms (no route)
>>
>> BGP: 3.3.3.3 multihop open delayed 12784ms (no route)
>>
>>
>>
>> The session will stay in active if you use default route with bgp.
>>
>>
>>
>>
>>
>> Here is a config, this is with two routers on outside of pix
>> peering with
>> inside router
>>
>>
>>
>> R1
>>
>>
>>
>> interface Loopback31
>>
>> ip address 152.1.30.1 255.255.255.255
>>
>> !
>>
>> interface Loopback32
>>
>> ip address 152.1.30.2 255.255.255.255
>>
>>
>>
>> router bgp 1
>>
>> no synchronization
>>
>> bgp router-id 1.1.1.1
>>
>> bgp log-neighbor-changes
>>
>> neighbor 2.2.2.2 remote-as 2
>>
>> neighbor 2.2.2.2 password CISCO
>>
>> neighbor 2.2.2.2 ebgp-multihop 5
>>
>> neighbor 3.3.3.3 remote-as 2
>>
>> neighbor 3.3.3.3 password CISCO
>>
>> neighbor 3.3.3.3 ebgp-multihop 5
>>
>> no auto-summary
>>
>>
>>
>> ip route 151.1.1.0 255.255.255.0 10.1.1.254
>>
>>
>>
>> pix
>>
>>
>>
>> static (inside,outside) 152.1.30.1 152.1.30.1 netmask
>> 255.255.255.255 0 0
>> norandomseq
>>
>> static (inside,outside) 152.1.30.2 152.1.30.2 netmask
>> 255.255.255.255 0 0
>> norandomseq
>>
>>
>>
>> R2
>>
>>
>>
>> interface Loopback0
>>
>> ip address 152.1.1.1 255.255.255.0
>>
>>
>>
>> router bgp 2
>>
>> no synchronization
>>
>> bgp router-id 2.2.2.2
>>
>> bgp log-neighbor-changes
>>
>> neighbor 1.1.1.1 remote-as 1
>>
>> neighbor 1.1.1.1 ebgp-multihop 5
>>
>> neighbor 1.1.1.1 password CISCO
>>
>> no auto-summary
>>
>>
>>
>> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>>
>>
>>
>> R3
>>
>>
>>
>> interface Loopback0
>>
>> ip address 152.1.5.5 255.255.255.0
>>
>>
>>
>> router bgp 2
>>
>> no synchronization
>>
>> bgp router-id 3.3.3.3
>>
>> bgp log-neighbor-changes
>>
>> neighbor 1.1.1.1 remote-as 1
>>
>> neighbor 1.1.1.1 ebgp-multihop 5
>>
>> neighbor 1.1.1.1 password CISCO
>>
>> no auto-summary
>>
>>
>>
>> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>>
>>
>>
>>
>>
>>
>>
>> Mvh
>>
>> Jens Petter Eikeland
>>
>> Mob 98247550
>> Hipercom AS
>>
>> _____
>>
>> From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of
>> Petr
>> Lapukhov
>> Sent: 11. desember 2006 14:57
>> To: Kal Han
>> Cc: Jens Petter; Lab Rat #109385382; security@groupstudy.com;
>> ccielab@groupstudy.com; cisco@groupstudy.com
>> Subject: Re: BGP through PIX Question
>>
>>
>>
>> My best loved part with BGP trough PIX is something like that:
>>
>> R1-----PIX------R2
>>
>> Reer R1 and R2 over BGP using loopback as sources. Do not let R2
>> initiate
>> the
>> connection. R1 has only the default route to PIX in it's routing
>> table.
>> Only
>> one
>> static NAT entry for R1 is allowed on PIX.
>>
>> Oh yeah, dont forget to authenticate this session, of course :)
>>
>> 2006/12/10, Kal Han <calikali2006@gmail.com>:
>>
>> how about just an access-list
>> ---------deny tcp any any eq bgp
>>
>> Thanks
>> Kal
>>
>>
>> On 12/9/06, Jens Petter <jenseike@start.no> wrote:
>>>
>>> Make things easy... To have ONLY the inside router initiate the BGP
>>> session,
>>> what you do is just not allow bgp trough the pix from outside..
>>> BGP uses
>>> TCP
>>> for transport. If you don't allow bgp trough pix ( you only make a
>> static
>>> translation for the bgp router peer on the inside on pix) you
>>> will force
>>> the
>>> inside to initiate... Pix will allow the reply traffic from
>>> outside BGP
>>> peer
>>> trought since pix has that is its xlate table....
>>>
>>> R1----pix---r2
>>>
>>> R1
>>> router bgp 1
>>> no synchronization
>>> neighbor 2.2.2.2 remote-as 2
>>> neighbor 2.2.2.2 ebgp-multihop 2
>>> neighbor 2.2.2.2 password cisco
>>>
>>> On pix, all you need is this : (use norandomseq if you are using
>>> password).
>>> If you don't allow bgp from r2 trough pix the neighbor will form
>>> with r1
>>> (inside) initiating
>>> the session.
>>>
>>> static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
>>> norandomseq
>>>
>>> r2
>>> router bgp 2
>>> no synchronization
>>> neighbor 1.1.1.1 remote-as 1
>>> neighbor 1.1.1.1 ebgp-multihop 2
>>> neighbor 1.1.1.1 password cisco
>>>
>>> Mvh
>>> Jens Petter Eikeland
>>> Senior networking consultant
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
>> [mailto:nobody@groupstudy.com] On Behalf Of
>>> Lab
>>> Rat #109385382
>>> Sent: 9. desember 2006 06:46
>>> To: security@groupstudy.com <mailto:security@groupstudy.com> ;
>> ccielab@groupstudy.com; cisco@groupstudy.com
>>> Subject: BGP through PIX Question
>>>
>>> If I had a requirement to only allow a router inside of a PIX
>>> initiate a
>>> BGP
>>> connection to a router outside of the PIX, what could some of the
>>> possibilities be?
>>>
>>> I'm trying to determine where the controls should be, as well. I
>>> know
>>> there
>>> are certain things a router can do to initiate a BGP session and
>>> I know
>>> that
>>> the PIX can control who begins what, as well...
>>>
>>> So, I'm thinking one of the following:
>>>
>>> 1. Set inside router with lower BGP router-id than the outside
>>> router
>>> 2. Use Policy NAT on the PIX ( e.g. nat (inside) 1 access-list XX)
>>>
>>> I guess from a lab perspective, I'm trying to determine the best
>>> practice...anyone have thoughts?
>>>
>>> Thanks,
>>>
>>> Ed
>>>
>>> ____________________________________________________________________
>>> ___
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _____________________________________________________________________
>> __
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>> --
>> Petr Lapukhov, CCIE #16379
>> petr@internetworkexpert.com
>>
>> Internetwork Expert, Inc.
>> http://www.InternetworkExpert.com
>> Toll Free: 877-224-8987
>> Outside US: 775-826-4344
>>
>>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART