From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Jan 26 2007 - 06:20:36 ART
Check your inspection policy, with 7.x you need to permit TCP option 19
explicitly, like this:
<quote>
class-map BGP-MD5-CLASSMAP
match port tcp eq 179
tcp-map BGP-MD5
tcp-options range 19 19 allow
policy-map global_policy
class BGP-MD5-CLASSMAP
set connection advanced-options BGP-MD5 service-policy
global_policy global
</quote>
2007/1/26, gwendel@gregw.biz <gwendel@gregw.biz>:
>
> One other thing,
>
> I looked at one of my production firewalls and the only other thing I
> could see different is that mine have the permit bgp in both directions of
> the acl.
>
> here is a config of an active firewall with active bgp neighbors:
> static (INSIDE,OUTSIDE) 192.1.1.8 192.1.1.8 netmask 255.255.255.255
> norandomseq
>
> access-list in extended permit tcp object-group BGP object-group BGP eq
> bgp
> access-list out extended permit tcp object-group BGP object-group BGP eq
> bgp
>
> Hope this helps.
> Greg
>
> > yes, I can ping. If I remove "neighbor password" my neighbors come up. I
> > can telnet to port 179. Yes, here's the configuration:
> >
> > BLUE:
> > router bgp 1
> > neighbor 192.168.0.1 remote-as 4
> > neighbor 192.168.0.1 password cisco
> > neighbor 192.168.0.1 ebgp-multihop 100
> >
> > RED:
> > router bgp 4
> > neighbor 200.200.200.1 remote-as 1
> > neighbor 200.200.200.1 password cisco
> > neighbor 200.200.200.1 ebgp-multihop 100
> >
> > ASA in the middle:
> > static (inside,outside) 192.168.0.1 192.168.0.1 netmask
> 255.255.255.255
> > norandomseq
> > nat (inside) 0 0.0.0.0 0.0.0.0
> > !
> > access-list OUTSIDE_IN extended permit ip any any
> > access-group OUTSIDE_IN in interface outside
> >
> >
> >
> > gwendel@gregw.biz wrote:
> > couple of questions:
> > can you ping each peer from each other?
> > can you telnet to port 179?
> > can you post a sanitized configuration?
> > can you try permit tcp any any eq bgp on both interfaces?
> >
> > I can get you an example of a working config if you need one.
> >
> >
> >> i actually tried that, and it still doesn't work
> >>
> >> gwendel@gregw.biz wrote: You need to use the norandomseq keyword on the
> >> pix/asa.
> >>
> >>> Hi, I'm try setup a BGP neihbor with MD5 password through ASA
> firewall,
> >>> and it failing for me.
> >>>
> >>> BLUE#
> >>> 16:44:20: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1(54052) to
> >>> 200.200.200.1(179)
> >>>
> >>> am I doing something wrong?
> >>>
> >>> It works good without MD5 and it works if I remove ASA firewall and
> add
> >>> MD5 password. I'm going nuts here!!
> >>>
> >>> Thanks
> >>> Reddy
> >>>
> >>>
> >>> ---------------------------------
> >>> Now that's room service! Choose from over 150,000 hotels
> >>> in 45,000 destinations on Yahoo! Travel to find your fit.
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> >>
> >>
> >>
> >> ---------------------------------
> >> Looking for earth-friendly autos?
> >> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >
> >
> >
> >
> > ---------------------------------
> > Food fight? Enjoy some healthy debate
> > in the Yahoo! Answers Food & Drink Q&A.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 (R&S/Security) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART