From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Jan 26 2007 - 06:22:31 ART
Also, check this guide for more details
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html
HTH
-- Petr Lapukhov, CCIE #16379 (R&S/Security) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com
2007/1/26, gwendel@gregw.biz <gwendel@gregw.biz>: > > One other thing, > > I looked at one of my production firewalls and the only other thing I > could see different is that mine have the permit bgp in both directions of > the acl. > > here is a config of an active firewall with active bgp neighbors: > static (INSIDE,OUTSIDE) 192.1.1.8 192.1.1.8 netmask 255.255.255.255 > norandomseq > > access-list in extended permit tcp object-group BGP object-group BGP eq > bgp > access-list out extended permit tcp object-group BGP object-group BGP eq > bgp > > Hope this helps. > Greg > > > yes, I can ping. If I remove "neighbor password" my neighbors come up. I > > can telnet to port 179. Yes, here's the configuration: > > > > BLUE: > > router bgp 1 > > neighbor 192.168.0.1 remote-as 4 > > neighbor 192.168.0.1 password cisco > > neighbor 192.168.0.1 ebgp-multihop 100 > > > > RED: > > router bgp 4 > > neighbor 200.200.200.1 remote-as 1 > > neighbor 200.200.200.1 password cisco > > neighbor 200.200.200.1 ebgp-multihop 100 > > > > ASA in the middle: > > static (inside,outside) 192.168.0.1 192.168.0.1 netmask > 255.255.255.255 > > norandomseq > > nat (inside) 0 0.0.0.0 0.0.0.0 > > ! > > access-list OUTSIDE_IN extended permit ip any any > > access-group OUTSIDE_IN in interface outside > > > > > > > > gwendel@gregw.biz wrote: > > couple of questions: > > can you ping each peer from each other? > > can you telnet to port 179? > > can you post a sanitized configuration? > > can you try permit tcp any any eq bgp on both interfaces? > > > > I can get you an example of a working config if you need one. > > > > > >> i actually tried that, and it still doesn't work > >> > >> gwendel@gregw.biz wrote: You need to use the norandomseq keyword on the > >> pix/asa. > >> > >>> Hi, I'm try setup a BGP neihbor with MD5 password through ASA > firewall, > >>> and it failing for me. > >>> > >>> BLUE# > >>> 16:44:20: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1(54052) to > >>> 200.200.200.1(179) > >>> > >>> am I doing something wrong? > >>> > >>> It works good without MD5 and it works if I remove ASA firewall and > add > >>> MD5 password. I'm going nuts here!! > >>> > >>> Thanks > >>> Reddy > >>> > >>> > >>> --------------------------------- > >>> Now that's room service! Choose from over 150,000 hotels > >>> in 45,000 destinations on Yahoo! Travel to find your fit. > >>> > >>> > _______________________________________________________________________ > >>> Subscription information may be found at: > >>> http://www.groupstudy.com/list/CCIELab.html > >>> > >> > >> > >> > >> > >> --------------------------------- > >> Looking for earth-friendly autos? > >> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. > >> > >> _______________________________________________________________________ > >> Subscription information may be found at: > >> http://www.groupstudy.com/list/CCIELab.html > >> > > > > > > > > > > --------------------------------- > > Food fight? Enjoy some healthy debate > > in the Yahoo! Answers Food & Drink Q&A. > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART