From: Kal Han (calikali2006@gmail.com)
Date: Tue Dec 12 2006 - 02:53:23 ART
I tried between 2 router --- 5 hops away.
No pix in-between
One router with just a default route and the
other has some routes learned thru ospf.
I enabled authentication, bgp worked fine.
I tried the same with pix inbetween, and its broken
till i added a local policy to set next hop on the router
with just a default route to pix.
Thanks
Kal
On 12/11/06, Kal Han <calikali2006@gmail.com> wrote:
>
> Hi Jens
> I specifically labbed it.
> The problem comes only where there is a pix in between and authentication.
>
> Thanks
> Kal
>
>
> On 12/11/06, Jens Petter <jenseike@start.no> wrote:
> >
> > Problem is general... even without pix and you can have 10 routeres
> > between
> > the peers... then that would not work... it would work for this scenario
> >
> >
> >
> > Mvh
> > Jens Petter Eikeland
> > Mob 98247550
> > Hipercom AS
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf Of
> > Lab
> > Rat #109385382
> > Sent: 12. desember 2006 05:26
> > To: 'Petr Lapukhov'; Jens Petter
> > Cc: Kal Han; security@groupstudy.com; ccielab@groupstudy.com;
> > cisco@groupstudy.com
> > Subject: RE: BGP through PIX Question
> >
> > Oh wait.Outside NAT?
> >
> >
> >
> >
> >
> > From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
> > Lapukhov
> > Sent: Monday, December 11, 2006 8:18 AM
> > To: Jens Petter
> > Cc: Kal Han; Lab Rat #109385382; security@groupstudy.com;
> > ccielab@groupstudy.com; cisco@groupstudy.com
> > Subject: Re: BGP through PIX Question
> >
> >
> >
> > There is a tricky way to initate multihop BGP connection WITHOUT using a
> >
> > specific
> > static route :) Try to figure it out, it's not very complex, though
> > definitely "twisted" :)
> >
> > 2006/12/11, Jens Petter <jenseike@start.no <mailto: jenseike@start.no>
> > >:
> >
> > Well, that is exactly what I said... But you will NOT get BGP to peer
> > with a
> >
> > default route over the pix. . You will need
> > a static route on r1 and on outside routers to peer this.. You can of
> > course
> > also use dynamic routes but since this is between
> > two bgp AS you probably would use statics
> >
> >
> >
> > This is what the debug would show on r1 if you use default route :
> >
> >
> >
> > BGP: 2.2.2.2 open active, delay 9568ms
> >
> > BGP: 2.2.2.2 multihop open delayed 19872ms (no route)
> >
> > BGP: 2.2.2.2 multihop open delayed 12784ms (no route)
> >
> >
> >
> > BGP: 3.3.3.3 open active, delay 9568ms
> >
> > BGP: 3.3.3.3 multihop open delayed 19872ms (no route)
> >
> > BGP: 3.3.3.3 multihop open delayed 12784ms (no route)
> >
> >
> >
> > The session will stay in active if you use default route with bgp.
> >
> >
> >
> >
> >
> > Here is a config, this is with two routers on outside of pix peering
> > with
> > inside router
> >
> >
> >
> > R1
> >
> >
> >
> > interface Loopback31
> >
> > ip address 152.1.30.1 255.255.255.255
> >
> > !
> >
> > interface Loopback32
> >
> > ip address 152.1.30.2 255.255.255.255
> >
> >
> >
> > router bgp 1
> >
> > no synchronization
> >
> > bgp router-id 1.1.1.1
> >
> > bgp log-neighbor-changes
> >
> > neighbor 2.2.2.2 remote-as 2
> >
> > neighbor 2.2.2.2 password CISCO
> >
> > neighbor 2.2.2.2 ebgp-multihop 5
> >
> > neighbor 3.3.3.3 remote-as 2
> >
> > neighbor 3.3.3.3 password CISCO
> >
> > neighbor 3.3.3.3 ebgp-multihop 5
> >
> > no auto-summary
> >
> >
> >
> > ip route 151.1.1.0 255.255.255.0 10.1.1.254
> >
> >
> >
> > pix
> >
> >
> >
> > static (inside,outside) 152.1.30.1 152.1.30.1 netmask 255.255.255.255 0
> > 0
> > norandomseq
> >
> > static (inside,outside) 152.1.30.2 152.1.30.2 netmask 255.255.255.255 0
> > 0
> > norandomseq
> >
> >
> >
> > R2
> >
> >
> >
> > interface Loopback0
> >
> > ip address 152.1.1.1 255.255.255.0
> >
> >
> >
> > router bgp 2
> >
> > no synchronization
> >
> > bgp router-id 2.2.2.2
> >
> > bgp log-neighbor-changes
> >
> > neighbor 1.1.1.1 remote-as 1
> >
> > neighbor 1.1.1.1 ebgp-multihop 5
> >
> > neighbor 1.1.1.1 password CISCO
> >
> > no auto-summary
> >
> >
> >
> > ip route 152.1.30.0 255.255.255.0 151.1.1.254
> >
> >
> >
> > R3
> >
> >
> >
> > interface Loopback0
> >
> > ip address 152.1.5.5 255.255.255.0
> >
> >
> >
> > router bgp 2
> >
> > no synchronization
> >
> > bgp router-id 3.3.3.3
> >
> > bgp log-neighbor-changes
> >
> > neighbor 1.1.1.1 remote-as 1
> >
> > neighbor 1.1.1.1 ebgp-multihop 5
> >
> > neighbor 1.1.1.1 password CISCO
> >
> > no auto-summary
> >
> >
> >
> > ip route 152.1.30.0 255.255.255.0 151.1.1.254
> >
> >
> >
> >
> >
> >
> >
> > Mvh
> >
> > Jens Petter Eikeland
> >
> > Mob 98247550
> > Hipercom AS
> >
> > _____
> >
> > From: petrsoft@gmail.com [mailto: petrsoft@gmail.com
> > <mailto:petrsoft@gmail.com> ] On Behalf Of Petr
> > Lapukhov
> > Sent: 11. desember 2006 14:57
> > To: Kal Han
> > Cc: Jens Petter; Lab Rat #109385382; security@groupstudy.com;
> > ccielab@groupstudy.com; cisco@groupstudy.com
> > Subject: Re: BGP through PIX Question
> >
> >
> >
> > My best loved part with BGP trough PIX is something like that:
> >
> > R1-----PIX------R2
> >
> > Reer R1 and R2 over BGP using loopback as sources. Do not let R2
> > initiate
> > the
> > connection. R1 has only the default route to PIX in it's routing table.
> > Only
> > one
> > static NAT entry for R1 is allowed on PIX.
> >
> > Oh yeah, dont forget to authenticate this session, of course :)
> >
> > 2006/12/10, Kal Han < calikali2006@gmail.com>:
> >
> > how about just an access-list
> > ---------deny tcp any any eq bgp
> >
> > Thanks
> > Kal
> >
> >
> > On 12/9/06, Jens Petter < jenseike@start.no> wrote:
> > >
> > > Make things easy... To have ONLY the inside router initiate the BGP
> > > session,
> > > what you do is just not allow bgp trough the pix from outside.. BGP
> > uses
> > > TCP
> > > for transport. If you don't allow bgp trough pix ( you only make a
> > static
> > > translation for the bgp router peer on the inside on pix) you will
> > force
> > > the
> > > inside to initiate... Pix will allow the reply traffic from outside
> > BGP
> > > peer
> > > trought since pix has that is its xlate table....
> > >
> > > R1----pix---r2
> > >
> > > R1
> > > router bgp 1
> > > no synchronization
> > > neighbor 2.2.2.2 remote-as 2
> > > neighbor 2.2.2.2 ebgp-multihop 2
> > > neighbor 2.2.2.2 password cisco
> > >
> > > On pix, all you need is this : (use norandomseq if you are using
> > > password).
> > > If you don't allow bgp from r2 trough pix the neighbor will form with
> > r1
> > > (inside) initiating
> > > the session.
> > >
> > > static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> > > norandomseq
> > >
> > > r2
> > > router bgp 2
> > > no synchronization
> > > neighbor 1.1.1.1 remote-as 1
> > > neighbor 1.1.1.1 ebgp-multihop 2
> > > neighbor 1.1.1.1 password cisco
> > >
> > > Mvh
> > > Jens Petter Eikeland
> > > Senior networking consultant
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> > <mailto: nobody@groupstudy.com>
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > Lab
> > > Rat #109385382
> > > Sent: 9. desember 2006 06:46
> > > To: security@groupstudy.com <mailto:security@groupstudy.com> ;
> > ccielab@groupstudy.com <mailto: ccielab@groupstudy.com> ;
> > cisco@groupstudy.com
> > > Subject: BGP through PIX Question
> > >
> > > If I had a requirement to only allow a router inside of a PIX initiate
> > a
> > > BGP
> > > connection to a router outside of the PIX, what could some of the
> > > possibilities be?
> > >
> > > I'm trying to determine where the controls should be, as well. I know
> > > there
> > > are certain things a router can do to initiate a BGP session and I
> > know
> > > that
> > > the PIX can control who begins what, as well...
> > >
> > > So, I'm thinking one of the following:
> > >
> > > 1. Set inside router with lower BGP router-id than the outside router
> > > 2. Use Policy NAT on the PIX ( e.g. nat (inside) 1 access-list XX)
> > >
> > > I guess from a lab perspective, I'm trying to determine the best
> > > practice...anyone have thoughts?
> > >
> > > Thanks,
> > >
> > > Ed
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > --
> > Petr Lapukhov, CCIE #16379
> > petr@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
> >
> >
> >
> >
> > --
> > Petr Lapukhov, CCIE #16379
> > petr@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART