Re: BGP through PIX Question
From: Kal Han (calikali2006@gmail.com)
Date: Tue Dec 12 2006 - 02:27:35 ART
Hi
I am not using anything special here.. but its working for me.
Its working when there is pix in between and without it.
the only thing I have when there is a pix is
inside outside
[R1]------[PIX]-------[R3]
R1 is peering with R3's physical interface.
R3 is peering with R1's NATED Ip.
and everything works fine in this setup.
The most important thing from Pert's question
is with pix and authentication enabled. Then things
are different. Without "pix + authentication", I mean
between routers with no routes other than default route
and authentication enabled, it works fine.
Problem is only when there is a pix in between and
authentication is enabled.
Yes, the policy routing idea sounds good. :)
Here I
Dont have any kind of route to the neighbor
router bgp 1
no synchronization
bgp router-id 11.11.11.11
bgp log-neighbor-changes
network 100.1.1.0 mask 255.255.255.0
neighbor *195.1.123.3* remote-as 356
neighbor *195.1.123.3* ebgp-multihop 255
no auto-summary
R1(config-if)#do sroute
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.16.2.10 to network 0.0.0.0
100.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
B 100.6.6.0/24 [20/0] via 195.1.123.3, 04:54:11
B 100.5.5.0/24 [20/0] via 195.1.123.3, 04:54:11
B 100.4.4.0/24 [20/0] via 195.1.123.2, 04:54:11
B 100.3.3.0/24 [20/0] via 195.1.123.3, 04:54:11
C 100.1.1.0/24 is directly connected, Loopback100
B 100.4.204.0/22 [20/0] via 195.1.123.3, 04:54:11
B 100.4.205.0/24 [20/0] via 195.1.123.2, 04:54:11
55.0.0.0/32 is subnetted, 1 subnets
B 55.55.55.55 [20/65] via 195.1.123.3, 04:54:12
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
R 172.16.20.0/24 [120/1] via 172.16.1.20, 00:00:08, Ethernet1/1
R 172.16.22.0/23 [120/1] via 172.16.1.20, 00:00:08, Ethernet1/1
C 172.16.1.0/24 is directly connected, Ethernet1/1
C 172.16.2.0/24 is directly connected, Ethernet1/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.11.11.0 is directly connected, Loopback0
*R* 0.0.0.0/0 [120/1] via 172.16.2.10, 00:00:23, Ethernet1/0*
R1(config-if)#
I also tried with just routers and bgp authentication.
It worked fine.
Kal
On 12/11/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
>
> Uhhhhhhhhh � huh??
>
>
>
> Petr's email posed another scenario. Did you read it?
>
>
>
> I'm responding to it�it's not a "one way works for all". We're all trying
> to learn different scenario's here�
>
>
>
> And the point is, if the opposite routers' loopback is translated to a
> locally-relevant IP address, then you would not need a route�either way, I
> think Petr needs to respond here.
>
>
>
>
>
> *From:* Jens Petter [mailto:jenseike@start.no]
> *Sent:* Monday, December 11, 2006 8:48 PM
> *To:* techlist01@gmail.com; 'Petr Lapukhov'
> *Cc:* 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> Just think of it... this problem is not ther only for bgp trought pix, but
> for bgp
> in general, you have this problem even on two routers directly conneted
> to each other, peering with loopbacks� with no natting what so ever..
>
>
>
> I can tell you nat has nothing to do with it,,,
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
> ------------------------------
>
> *From:* Lab Rat #109385382 [mailto:techlist01@gmail.com]
> *Sent:* 12. desember 2006 05:40
> *To:* 'Jens Petter'; 'Petr Lapukhov'
> *Cc:* 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> Responding to Petr's email:
>
> There is a tricky way to initate multihop BGP connection WITHOUT using a
> specific
> static route :) Try to figure it out, it's not very complex, though
> definitely "twisted" :)
>
> So, is the answer "outside NAT"?
>
>
>
>
>
> *From:* Jens Petter [mailto:jenseike@start.no]
> *Sent:* Monday, December 11, 2006 8:39 PM
> *To:* techlist01@gmail.com; 'Petr Lapukhov'
> *Cc:* 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> What about it���������������������������..
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
> ------------------------------
>
> *From:* Lab Rat #109385382 [mailto:techlist01@gmail.com]
> *Sent:* 12. desember 2006 05:26
> *To:* 'Petr Lapukhov'; Jens Petter
> *Cc:* Kal Han; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> Oh wait�Outside NAT?
>
>
>
>
>
> *From:* petrsoft@gmail.com [mailto:petrsoft@gmail.com] *On Behalf Of *Petr
> Lapukhov
> *Sent:* Monday, December 11, 2006 8:18 AM
> *To:* Jens Petter
> *Cc:* Kal Han; Lab Rat #109385382; security@groupstudy.com;
> ccielab@groupstudy.com; cisco@groupstudy.com
> *Subject:* Re: BGP through PIX Question
>
>
>
> There is a tricky way to initate multihop BGP connection WITHOUT using a
> specific
> static route :) Try to figure it out, it's not very complex, though
> definitely "twisted" :)
>
> 2006/12/11, Jens Petter <jenseike@start.no >:
>
> Well, that is exactly what I said... But you will NOT get BGP to peer with
> a
> default route over the pix. . You will need
> a static route on r1 and on outside routers to peer this.. You can of
> course
> also use dynamic routes but since this is between
> two bgp AS you probably would use statics
>
>
>
> This is what the debug would show on r1 if you use default route :
>
>
>
> BGP: 2.2.2.2 open active, delay 9568ms
>
> BGP: 2.2.2.2 multihop open delayed 19872ms (no route)
>
> BGP: 2.2.2.2 multihop open delayed 12784ms (no route)
>
>
>
> BGP: 3.3.3.3 open active, delay 9568ms
>
> BGP: 3.3.3.3 multihop open delayed 19872ms (no route)
>
> BGP: 3.3.3.3 multihop open delayed 12784ms (no route)
>
>
>
> The session will stay in active if you use default route with bgp.
>
>
>
>
>
> Here is a config, this is with two routers on outside of pix peering with
> inside router
>
>
>
> R1
>
>
>
> interface Loopback31
>
> ip address 152.1.30.1 255.255.255.255
>
> !
>
> interface Loopback32
>
> ip address 152.1.30.2 255.255.255.255
>
>
>
> router bgp 1
>
> no synchronization
>
> bgp router-id 1.1.1.1
>
> bgp log-neighbor-changes
>
> neighbor 2.2.2.2 remote-as 2
>
> neighbor 2.2.2.2 password CISCO
>
> neighbor 2.2.2.2 ebgp-multihop 5
>
> neighbor 3.3.3.3 remote-as 2
>
> neighbor 3.3.3.3 password CISCO
>
> neighbor 3.3.3.3 ebgp-multihop 5
>
> no auto-summary
>
>
>
> ip route 151.1.1.0 255.255.255.0 10.1.1.254
>
>
>
> pix
>
>
>
> static (inside,outside) 152.1.30.1 152.1.30.1 netmask 255.255.255.255 0 0
> norandomseq
>
> static (inside,outside) 152.1.30.2 152.1.30.2 netmask 255.255.255.255 0 0
> norandomseq
>
>
>
> R2
>
>
>
> interface Loopback0
>
> ip address 152.1.1.1 255.255.255.0
>
>
>
> router bgp 2
>
> no synchronization
>
> bgp router-id 2.2.2.2
>
> bgp log-neighbor-changes
>
> neighbor 1.1.1.1 remote-as 1
>
> neighbor 1.1.1.1 ebgp-multihop 5
>
> neighbor 1.1.1.1 password CISCO
>
> no auto-summary
>
>
>
> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>
>
>
> R3
>
>
>
> interface Loopback0
>
> ip address 152.1.5.5 255.255.255.0
>
>
>
> router bgp 2
>
> no synchronization
>
> bgp router-id 3.3.3.3
>
> bgp log-neighbor-changes
>
> neighbor 1.1.1.1 remote-as 1
>
> neighbor 1.1.1.1 ebgp-multihop 5
>
> neighbor 1.1.1.1 password CISCO
>
> no auto-summary
>
>
>
> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>
>
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
>
> _____
>
> From: petrsoft@gmail.com [mailto: petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: 11. desember 2006 14:57
> To: Kal Han
> Cc: Jens Petter; Lab Rat #109385382; security@groupstudy.com;
> ccielab@groupstudy.com; cisco@groupstudy.com
> Subject: Re: BGP through PIX Question
>
>
>
> My best loved part with BGP trough PIX is something like that:
>
> R1-----PIX------R2
>
> Reer R1 and R2 over BGP using loopback as sources. Do not let R2 initiate
> the
> connection. R1 has only the default route to PIX in it's routing table.
> Only
> one
> static NAT entry for R1 is allowed on PIX.
>
> Oh yeah, dont forget to authenticate this session, of course :)
>
> 2006/12/10, Kal Han <calikali2006@gmail.com>:
>
> how about just an access-list
> ---------deny tcp any any eq bgp
>
> Thanks
> Kal
>
>
> On 12/9/06, Jens Petter <jenseike@start.no> wrote:
> >
> > Make things easy... To have ONLY the inside router initiate the BGP
> > session,
> > what you do is just not allow bgp trough the pix from outside.. BGP uses
> > TCP
> > for transport. If you don't allow bgp trough pix ( you only make a
> static
> > translation for the bgp router peer on the inside on pix) you will force
>
> > the
> > inside to initiate... Pix will allow the reply traffic from outside BGP
> > peer
> > trought since pix has that is its xlate table....
> >
> > R1----pix---r2
> >
> > R1
> > router bgp 1
> > no synchronization
> > neighbor 2.2.2.2 remote-as 2
> > neighbor 2.2.2.2 ebgp-multihop 2
> > neighbor 2.2.2.2 password cisco
> >
> > On pix, all you need is this : (use norandomseq if you are using
> > password).
> > If you don't allow bgp from r2 trough pix the neighbor will form with r1
> > (inside) initiating
> > the session.
> >
> > static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> > norandomseq
> >
> > r2
> > router bgp 2
> > no synchronization
> > neighbor 1.1.1.1 remote-as 1
> > neighbor 1.1.1.1 ebgp-multihop 2
> > neighbor 1.1.1.1 password cisco
> >
> > Mvh
> > Jens Petter Eikeland
> > Senior networking consultant
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> [mailto:nobody@groupstudy.com] On Behalf Of
> > Lab
> > Rat #109385382
> > Sent: 9. desember 2006 06:46
> > To: security@groupstudy.com <mailto:security@groupstudy.com> ;
> ccielab@groupstudy.com ; cisco@groupstudy.com
> > Subject: BGP through PIX Question
> >
> > If I had a requirement to only allow a router inside of a PIX initiate a
> > BGP
> > connection to a router outside of the PIX, what could some of the
> > possibilities be?
> >
> > I'm trying to determine where the controls should be, as well. I know
> > there
> > are certain things a router can do to initiate a BGP session and I know
> > that
> > the PIX can control who begins what, as well...
> >
> > So, I'm thinking one of the following:
> >
> > 1. Set inside router with lower BGP router-id than the outside router
> > 2. Use Policy NAT on the PIX ( e.g. nat (inside) 1 access-list XX)
> >
> > I guess from a lab perspective, I'm trying to determine the best
> > practice...anyone have thoughts?
> >
> > Thanks,
> >
> > Ed
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4
: Tue Jan 02 2007 - 07:50:37 ART