RE: BGP through PIX Question

From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Tue Dec 12 2006 - 02:17:16 ART

Ok, I was going to drop this, but DUDE, who ARE you? I'm the ORIGINAL
poster of this thread.

 

"You don't think it's the way do go"?? Don't take this the wrong way, but I
don't really care which way you think DO go.

 

My email is in response to Petr, in which he posed ANOTHER, brand new, and
independent scenario. So what if he replied to yours...can't people just
hit reply/send and not feel like they're married to the order of who
responded last? Sheesh! Read between the lines.

 

Petr, can you just answer my question below when you get on? Thanks.

 

From: Jens Petter [mailto:jenseike@start.no]
Sent: Monday, December 11, 2006 9:05 PM
To: techlist01@gmail.com; 'Petr Lapukhov'
Cc: 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
cisco@groupstudy.com
Subject: RE: BGP through PIX Question

 

Uhhhhhhhh. huh???... his email was a respons to mine, so yes I read it..

 

What about if the routeres are not directly connected, but 3-4 routeres in
beteween them, then natting that lookback dont
get you anyway. You would still need a route. You would also do that for
that pix scenario if you did not do something like outside
nat on the pix.

SO, don't think that is the way do go..

 

I read somebody responded something aobut policy routing, that makes more
sence, but Petr`s email said it was a twisted soluition, and I would not
consider using policy routing as a twisted soulution..

 

Why don't you lan this up and test your ideas, I don't have a rack or else I
would do it.. That is the only way to find out this I think.. Keep guessing
don't get you anyway.

and I don't think that Petr should tell us the soulutions, but make us find
this our selfe. Doing by labbing..!!

 

 

Mvh

Jens Petter Eikeland

Mob 98247550
Hipercom AS

  _____

From: Lab Rat #109385382 [mailto:techlist01@gmail.com]
Sent: 12. desember 2006 05:52
To: 'Jens Petter'; 'Petr Lapukhov'
Cc: 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
cisco@groupstudy.com
Subject: RE: BGP through PIX Question

 

Uhhhhhhhhh . huh??

 

Petr's email posed another scenario. Did you read it?

 

I'm responding to it.it's not a "one way works for all". We're all trying
to learn different scenario's here.

 

And the point is, if the opposite routers' loopback is translated to a
locally-relevant IP address, then you would not need a route.either way, I
think Petr needs to respond here.

 

 

From: Jens Petter [mailto:jenseike@start.no]
Sent: Monday, December 11, 2006 8:48 PM
To: techlist01@gmail.com; 'Petr Lapukhov'
Cc: 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
cisco@groupstudy.com
Subject: RE: BGP through PIX Question

 

Just think of it... this problem is not ther only for bgp trought pix, but
for bgp
in general, you have this problem even on two routers directly conneted
to each other, peering with loopbacks. with no natting what so ever..

 

I can tell you nat has nothing to do with it,,,

 

 

Mvh

Jens Petter Eikeland

Mob 98247550
Hipercom AS

  _____

From: Lab Rat #109385382 [mailto:techlist01@gmail.com]
Sent: 12. desember 2006 05:40
To: 'Jens Petter'; 'Petr Lapukhov'
Cc: 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
cisco@groupstudy.com
Subject: RE: BGP through PIX Question

 

Responding to Petr's email:

There is a tricky way to initate multihop BGP connection WITHOUT using a
specific
static route :) Try to figure it out, it's not very complex, though
definitely "twisted" :)

So, is the answer "outside NAT"?

 

 

From: Jens Petter [mailto:jenseike@start.no]
Sent: Monday, December 11, 2006 8:39 PM
To: techlist01@gmail.com; 'Petr Lapukhov'
Cc: 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
cisco@groupstudy.com
Subject: RE: BGP through PIX Question

 

What about it.............................

 

 

Mvh

Jens Petter Eikeland

Mob 98247550
Hipercom AS

  _____

From: Lab Rat #109385382 [mailto:techlist01@gmail.com]
Sent: 12. desember 2006 05:26
To: 'Petr Lapukhov'; Jens Petter
Cc: Kal Han; security@groupstudy.com; ccielab@groupstudy.com;
cisco@groupstudy.com
Subject: RE: BGP through PIX Question

 

Oh wait.Outside NAT?

 

 

From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
Lapukhov
Sent: Monday, December 11, 2006 8:18 AM
To: Jens Petter
Cc: Kal Han; Lab Rat #109385382; security@groupstudy.com;
ccielab@groupstudy.com; cisco@groupstudy.com
Subject: Re: BGP through PIX Question

 

There is a tricky way to initate multihop BGP connection WITHOUT using a
specific
static route :) Try to figure it out, it's not very complex, though
definitely "twisted" :)

2006/12/11, Jens Petter <jenseike@start.no <mailto:jenseike@start.no> >:

Well, that is exactly what I said... But you will NOT get BGP to peer with a

default route over the pix. . You will need
a static route on r1 and on outside routers to peer this.. You can of course
also use dynamic routes but since this is between
two bgp AS you probably would use statics

This is what the debug would show on r1 if you use default route :

BGP: 2.2.2.2 open active, delay 9568ms

BGP: 2.2.2.2 multihop open delayed 19872ms (no route)

BGP: 2.2.2.2 multihop open delayed 12784ms (no route)

BGP: 3.3.3.3 open active, delay 9568ms

BGP: 3.3.3.3 multihop open delayed 19872ms (no route)

BGP: 3.3.3.3 multihop open delayed 12784ms (no route)

The session will stay in active if you use default route with bgp.

Here is a config, this is with two routers on outside of pix peering with
inside router

R1

interface Loopback31

ip address 152.1.30.1 255.255.255.255

!

interface Loopback32

ip address 152.1.30.2 255.255.255.255

router bgp 1

no synchronization

bgp router-id 1.1.1.1

bgp log-neighbor-changes

neighbor 2.2.2.2 remote-as 2

neighbor 2.2.2.2 password CISCO

neighbor 2.2.2.2 ebgp-multihop 5

neighbor 3.3.3.3 remote-as 2

neighbor 3.3.3.3 password CISCO

neighbor 3.3.3.3 ebgp-multihop 5

no auto-summary

ip route 151.1.1.0 255.255.255.0 10.1.1.254

pix

static (inside,outside) 152.1.30.1 152.1.30.1 netmask 255.255.255.255 0 0
norandomseq

static (inside,outside) 152.1.30.2 152.1.30.2 netmask 255.255.255.255 0 0
norandomseq

R2

interface Loopback0

ip address 152.1.1.1 255.255.255.0

router bgp 2

no synchronization

bgp router-id 2.2.2.2

bgp log-neighbor-changes

neighbor 1.1.1.1 remote-as 1

neighbor 1.1.1.1 ebgp-multihop 5

neighbor 1.1.1.1 password CISCO

no auto-summary

ip route 152.1.30.0 255.255.255.0 151.1.1.254

R3

interface Loopback0

ip address 152.1.5.5 255.255.255.0

router bgp 2

no synchronization

bgp router-id 3.3.3.3

bgp log-neighbor-changes

neighbor 1.1.1.1 remote-as 1

neighbor 1.1.1.1 ebgp-multihop 5

neighbor 1.1.1.1 password CISCO

no auto-summary

ip route 152.1.30.0 255.255.255.0 151.1.1.254

Mvh

Jens Petter Eikeland

Mob 98247550
Hipercom AS

  _____

From: petrsoft@gmail.com [mailto: petrsoft@gmail.com
<mailto:petrsoft@gmail.com> ] On Behalf Of Petr
Lapukhov
Sent: 11. desember 2006 14:57
To: Kal Han
Cc: Jens Petter; Lab Rat #109385382; security@groupstudy.com;
ccielab@groupstudy.com; cisco@groupstudy.com
Subject: Re: BGP through PIX Question

My best loved part with BGP trough PIX is something like that:

R1-----PIX------R2

Reer R1 and R2 over BGP using loopback as sources. Do not let R2 initiate
the
connection. R1 has only the default route to PIX in it's routing table. Only
one
static NAT entry for R1 is allowed on PIX.

Oh yeah, dont forget to authenticate this session, of course :)

2006/12/10, Kal Han <calikali2006@gmail.com>:

how about just an access-list
---------deny tcp any any eq bgp

Thanks
Kal

On 12/9/06, Jens Petter <jenseike@start.no> wrote:
>
> Make things easy... To have ONLY the inside router initiate the BGP
> session,
> what you do is just not allow bgp trough the pix from outside.. BGP uses
> TCP
> for transport. If you don't allow bgp trough pix ( you only make a static
> translation for the bgp router peer on the inside on pix) you will force
> the
> inside to initiate... Pix will allow the reply traffic from outside BGP
> peer
> trought since pix has that is its xlate table....
>
> R1----pix---r2
>
> R1
> router bgp 1
> no synchronization
> neighbor 2.2.2.2 remote-as 2
> neighbor 2.2.2.2 ebgp-multihop 2
> neighbor 2.2.2.2 password cisco
>
> On pix, all you need is this : (use norandomseq if you are using
> password).
> If you don't allow bgp from r2 trough pix the neighbor will form with r1
> (inside) initiating
> the session.
>
> static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> norandomseq
>
> r2
> router bgp 2
> no synchronization
> neighbor 1.1.1.1 remote-as 1
> neighbor 1.1.1.1 ebgp-multihop 2
> neighbor 1.1.1.1 password cisco
>
> Mvh
> Jens Petter Eikeland
> Senior networking consultant
>
> -----Original Message-----
> From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
<mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com] On Behalf Of
> Lab
> Rat #109385382
> Sent: 9. desember 2006 06:46
> To: security@groupstudy.com <mailto:security@groupstudy.com> ;
ccielab@groupstudy.com <mailto:ccielab@groupstudy.com> ;
cisco@groupstudy.com
> Subject: BGP through PIX Question
>
> If I had a requirement to only allow a router inside of a PIX initiate a
> BGP
> connection to a router outside of the PIX, what could some of the
> possibilities be?
>
> I'm trying to determine where the controls should be, as well. I know
> there
> are certain things a router can do to initiate a BGP session and I know
> that
> the PIX can control who begins what, as well...
>
> So, I'm thinking one of the following:
>
> 1. Set inside router with lower BGP router-id than the outside router
> 2. Use Policy NAT on the PIX ( e.g. nat (inside) 1 access-list XX)
>
> I guess from a lab perspective, I'm trying to determine the best
> practice...anyone have thoughts?
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART