Re: BGP through PIX Question

From: Kal Han (calikali2006@gmail.com)
Date: Tue Dec 12 2006 - 02:43:05 ART

Ok the policy-routing thingy works fine.

R1#sh run | be bgp
router bgp 1
 no synchronization
 bgp router-id 11.11.11.11
 bgp log-neighbor-changes
 network 100.1.1.0 mask 255.255.255.0
 neighbor 195.1.123.3 remote-as 356
 neighbor 195.1.123.3 ebgp-multihop 255
 neighbor 195.1.123.3 password cciesec
 no auto-summary
!
ip local policy route-map local

route-map local permit 10
 match ip address 173
 set ip next-hop 172.16.2.10 <--- pix inside interface.

R1#sroute
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 172.16.2.10 to network 0.0.0.0

     100.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
B 100.6.6.0/24 [20/0] via 195.1.123.3, 00:02:22
B 100.5.5.0/24 [20/0] via 195.1.123.3, 00:02:22
B 100.4.4.0/24 [20/0] via 195.1.123.3, 00:02:22
B 100.3.3.0/24 [20/0] via 195.1.123.3, 00:02:22
C 100.1.1.0/24 is directly connected, Loopback100
B 100.4.204.0/22 [20/0] via 195.1.123.3, 00:02:22
B 100.4.205.0/24 [20/0] via 195.1.123.3, 00:02:22
     55.0.0.0/32 is subnetted, 1 subnets
B 55.55.55.55 [20/65] via 195.1.123.3, 00:02:23
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
R 172.16.20.0/24 [120/1] via 172.16.1.20, 00:00:22, Ethernet1/1
R 172.16.22.0/23 [120/1] via 172.16.1.20, 00:00:22, Ethernet1/1
C 172.16.1.0/24 is directly connected, Ethernet1/1
C 172.16.2.0/24 is directly connected, Ethernet1/0
     11.0.0.0/24 is subnetted, 1 subnets
C 11.11.11.0 is directly connected, Loopback0
R* 0.0.0.0/0 [120/1] via 172.16.2.10, 00:00:06, Ethernet1/0

Thanks
Kal

On 12/11/06, Jens Petter <jenseike@start.no> wrote:
>
> Please send me your whole config... this should not work if you are using
> default route on r1 if you don't
> have done anything spescially
>
>
>
>
>
http://cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093fb8.shtm
l
>
>
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
> ------------------------------
>
> *From:* Kal Han [mailto:calikali2006@gmail.com]
> *Sent:* 12. desember 2006 06:28
> *To:* techlist01@gmail.com
> *Cc:* Jens Petter; Petr Lapukhov; security@groupstudy.com;
> ccielab@groupstudy.com; cisco@groupstudy.com
> *Subject:* Re: BGP through PIX Question
>
>
>
> Hi
>
> I am not using anything special here.. but its working for me.
>
> Its working when there is pix in between and without it.
>
> the only thing I have when there is a pix is
>
>
>
> inside outside
>
> [R1]------[PIX]-------[R3]
>
>
>
> R1 is peering with R3's physical interface.
>
> R3 is peering with R1's NATED Ip.
>
>
>
> and everything works fine in this setup.
>
>
>
> The most important thing from Pert's question
>
> is with pix and authentication enabled. Then things
>
> are different. Without "pix + authentication", I mean
>
> between routers with no routes other than default route
>
> and authentication enabled, it works fine.
>
> Problem is only when there is a pix in between and
>
> authentication is enabled.
>
>
>
> Yes, the policy routing idea sounds good. :)
>
>
>
> Here I
>
> Dont have any kind of route to the neighbor
>
>
>
> router bgp 1
> no synchronization
> bgp router-id 11.11.11.11
> bgp log-neighbor-changes
> network 100.1.1.0 mask 255.255.255.0
> neighbor *195.1.123.3* remote-as 356
> neighbor *195.1.123.3* ebgp-multihop 255
> no auto-summary
>
>
>
> R1(config-if)#do sroute
> Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
> E1 - OSPF external type 1, E2 - OSPF external type 2
> i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
> area
> * - candidate default, U - per-user static route, o - ODR
> P - periodic downloaded static route
>
> Gateway of last resort is 172.16.2.10 to network 0.0.0.0
>
> 100.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
> B 100.6.6.0/24 [20/0] via 195.1.123.3, 04:54:11
> B 100.5.5.0/24 [20/0] via 195.1.123.3, 04:54:11
> B 100.4.4.0/24 [20/0] via 195.1.123.2 , 04:54:11
> B 100.3.3.0/24 [20/0] via 195.1.123.3, 04:54:11
> C 100.1.1.0/24 is directly connected, Loopback100
> B 100.4.204.0/22 [20/0] via 195.1.123.3, 04:54:11
> B 100.4.205.0/24 [20/0] via 195.1.123.2, 04:54:11
> 55.0.0.0/32 is subnetted, 1 subnets
> B 55.55.55.55 [20/65] via 195.1.123.3, 04:54:12
> 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
> R 172.16.20.0/24 [120/1] via 172.16.1.20, 00:00:08, Ethernet1/1
> R 172.16.22.0/23 [120/1] via 172.16.1.20, 00:00:08, Ethernet1/1
> C 172.16.1.0/24 is directly connected, Ethernet1/1
> C 172.16.2.0/24 is directly connected, Ethernet1/0
> 11.0.0.0/24 is subnetted, 1 subnets
> C 11.11.11.0 is directly connected, Loopback0
> *R* 0.0.0.0/0 [120/1] via 172.16.2.10, 00:00:23, Ethernet1/0*
> R1(config-if)#
>
>
>
> I also tried with just routers and bgp authentication.
>
> It worked fine.
>
>
>
> Kal
>
>
>
>
>
>
>
>
>
> On 12/11/06, *Lab Rat #109385382* <techlist01@gmail.com> wrote:
>
> Uhhhhhhhhh  huh??
>
>
>
> Petr's email posed another scenario. Did you read it?
>
>
>
> I'm responding to itit's not a "one way works for all". We're all trying
> to learn different scenario's here
>
>
>
> And the point is, if the opposite routers' loopback is translated to a
> locally-relevant IP address, then you would not need a routeeither way, I
> think Petr needs to respond here.
>
>
>
>
>
> *From:* Jens Petter [mailto:jenseike@start.no ]
> *Sent:* Monday, December 11, 2006 8:48 PM
>
>
> *To:* techlist01@gmail.com; 'Petr Lapukhov'
> *Cc: *'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> Just think of it... this problem is not ther only for bgp trought pix, but
> for bgp
> in general, you have this problem even on two routers directly conneted
> to each other, peering with loopbacks with no natting what so ever..
>
>
>
> I can tell you nat has nothing to do with it,,,
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
> ------------------------------
>
> *From:* Lab Rat #109385382 [mailto:techlist01@gmail.com ]
> *Sent:* 12. desember 2006 05:40
> *To:* 'Jens Petter'; 'Petr Lapukhov'
> *Cc:* 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> Responding to Petr's email:
>
> There is a tricky way to initate multihop BGP connection WITHOUT using a
> specific
> static route :) Try to figure it out, it's not very complex, though
> definitely "twisted" :)
>
> So, is the answer "outside NAT"?
>
>
>
>
>
> *From:* Jens Petter [mailto:jenseike@start.no ]
> *Sent:* Monday, December 11, 2006 8:39 PM
> *To:* techlist01@gmail.com; 'Petr Lapukhov'
> *Cc:* 'Kal Han'; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> What about it..
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
> ------------------------------
>
> *From:* Lab Rat #109385382 [mailto:techlist01@gmail.com ]
> *Sent:* 12. desember 2006 05:26
> *To:* 'Petr Lapukhov'; Jens Petter
> *Cc:* Kal Han; security@groupstudy.com; ccielab@groupstudy.com;
> cisco@groupstudy.com
> *Subject:* RE: BGP through PIX Question
>
>
>
> Oh waitOutside NAT?
>
>
>
>
>
> *From:* petrsoft@gmail.com [mailto: petrsoft@gmail.com] *On Behalf Of *Petr
> Lapukhov
> *Sent:* Monday, December 11, 2006 8:18 AM
> *To:* Jens Petter
> *Cc:* Kal Han; Lab Rat #109385382; security@groupstudy.com;
> ccielab@groupstudy.com; cisco@groupstudy.com
> *Subject:* Re: BGP through PIX Question
>
>
>
> There is a tricky way to initate multihop BGP connection WITHOUT using a
> specific
> static route :) Try to figure it out, it's not very complex, though
> definitely "twisted" :)
>
> 2006/12/11, Jens Petter <jenseike@start.no >:
>
> Well, that is exactly what I said... But you will NOT get BGP to peer with
> a
> default route over the pix. . You will need
> a static route on r1 and on outside routers to peer this.. You can of
> course
> also use dynamic routes but since this is between
> two bgp AS you probably would use statics
>
>
>
> This is what the debug would show on r1 if you use default route :
>
>
>
> BGP: 2.2.2.2 open active, delay 9568ms
>
> BGP: 2.2.2.2 multihop open delayed 19872ms (no route)
>
> BGP: 2.2.2.2 multihop open delayed 12784ms (no route)
>
>
>
> BGP: 3.3.3.3 open active, delay 9568ms
>
> BGP: 3.3.3.3 multihop open delayed 19872ms (no route)
>
> BGP: 3.3.3.3 multihop open delayed 12784ms (no route)
>
>
>
> The session will stay in active if you use default route with bgp.
>
>
>
>
>
> Here is a config, this is with two routers on outside of pix peering with
> inside router
>
>
>
> R1
>
>
>
> interface Loopback31
>
> ip address 152.1.30.1 255.255.255.255
>
> !
>
> interface Loopback32
>
> ip address 152.1.30.2 255.255.255.255
>
>
>
> router bgp 1
>
> no synchronization
>
> bgp router-id 1.1.1.1
>
> bgp log-neighbor-changes
>
> neighbor 2.2.2.2 remote-as 2
>
> neighbor 2.2.2.2 password CISCO
>
> neighbor 2.2.2.2 ebgp-multihop 5
>
> neighbor 3.3.3.3 remote-as 2
>
> neighbor 3.3.3.3 password CISCO
>
> neighbor 3.3.3.3 ebgp-multihop 5
>
> no auto-summary
>
>
>
> ip route 151.1.1.0 255.255.255.0 10.1.1.254
>
>
>
> pix
>
>
>
> static (inside,outside) 152.1.30.1 152.1.30.1 netmask 255.255.255.255 0 0
> norandomseq
>
> static (inside,outside) 152.1.30.2 152.1.30.2 netmask 255.255.255.255 0 0
> norandomseq
>
>
>
> R2
>
>
>
> interface Loopback0
>
> ip address 152.1.1.1 255.255.255.0
>
>
>
> router bgp 2
>
> no synchronization
>
> bgp router-id 2.2.2.2
>
> bgp log-neighbor-changes
>
> neighbor 1.1.1.1 remote-as 1
>
> neighbor 1.1.1.1 ebgp-multihop 5
>
> neighbor 1.1.1.1 password CISCO
>
> no auto-summary
>
>
>
> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>
>
>
> R3
>
>
>
> interface Loopback0
>
> ip address 152.1.5.5 255.255.255.0
>
>
>
> router bgp 2
>
> no synchronization
>
> bgp router-id 3.3.3.3
>
> bgp log-neighbor-changes
>
> neighbor 1.1.1.1 remote-as 1
>
> neighbor 1.1.1.1 ebgp-multihop 5
>
> neighbor 1.1.1.1 password CISCO
>
> no auto-summary
>
>
>
> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>
>
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
>
> _____
>
> From: petrsoft@gmail.com [mailto: petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: 11. desember 2006 14:57
> To: Kal Han
> Cc: Jens Petter; Lab Rat #109385382; security@groupstudy.com;
> ccielab@groupstudy.com; cisco@groupstudy.com
> Subject: Re: BGP through PIX Question
>
>
>
> My best loved part with BGP trough PIX is something like that:
>
> R1-----PIX------R2
>
> Reer R1 and R2 over BGP using loopback as sources. Do not let R2 initiate
> the
> connection. R1 has only the default route to PIX in it's routing table.
> Only
> one
> static NAT entry for R1 is allowed on PIX.
>
> Oh yeah, dont forget to authenticate this session, of course :)
>
> 2006/12/10, Kal Han <calikali2006@gmail.com >:
>
> how about just an access-list
> ---------deny tcp any any eq bgp
>
> Thanks
> Kal
>
>
> On 12/9/06, Jens Petter < jenseike@start.no> wrote:
> >
> > Make things easy... To have ONLY the inside router initiate the BGP
> > session,
> > what you do is just not allow bgp trough the pix from outside.. BGP uses
> > TCP
> > for transport. If you don't allow bgp trough pix ( you only make a
> static
> > translation for the bgp router peer on the inside on pix) you will force
>
> > the
> > inside to initiate... Pix will allow the reply traffic from outside BGP
> > peer
> > trought since pix has that is its xlate table....
> >
> > R1----pix---r2
> >
> > R1
> > router bgp 1
> > no synchronization
> > neighbor 2.2.2.2 remote-as 2
> > neighbor 2.2.2.2 ebgp-multihop 2
> > neighbor 2.2.2.2 password cisco
> >
> > On pix, all you need is this : (use norandomseq if you are using
> > password).
> > If you don't allow bgp from r2 trough pix the neighbor will form with r1
> > (inside) initiating
> > the session.
> >
> > static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> > norandomseq
> >
> > r2
> > router bgp 2
> > no synchronization
> > neighbor 1.1.1.1 remote-as 1
> > neighbor 1.1.1.1 ebgp-multihop 2
> > neighbor 1.1.1.1 password cisco
> >
> > Mvh
> > Jens Petter Eikeland
> > Senior networking consultant
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> [mailto: nobody@groupstudy.com] On Behalf Of
> > Lab
> > Rat #109385382
> > Sent: 9. desember 2006 06:46
> > To: security@groupstudy.com <mailto:security@groupstudy.com> ;
> ccielab@groupstudy.com ; cisco@groupstudy.com
> > Subject: BGP through PIX Question
> >
> > If I had a requirement to only allow a router inside of a PIX initiate a
>
> > BGP
> > connection to a router outside of the PIX, what could some of the
> > possibilities be?
> >
> > I'm trying to determine where the controls should be, as well. I know
> > there
> > are certain things a router can do to initiate a BGP session and I know
> > that
> > the PIX can control who begins what, as well...
> >
> > So, I'm thinking one of the following:
> >
> > 1. Set inside router with lower BGP router-id than the outside router
> > 2. Use Policy NAT on the PIX ( e.g. nat (inside) 1 access-list XX)
> >
> > I guess from a lab perspective, I'm trying to determine the best
> > practice...anyone have thoughts?
> >
> > Thanks,
> >
> > Ed
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART