From: Mark Snow (mark@ipexpert.com)
Date: Fri Jan 26 2007 - 21:23:35 ART
Try putting the following in your ASA config - then clear your TCP sessions
- and everything will be peachy ;)
<ASA snip>
!
access-list bgpacl extended permit tcp host 200.200.200.1 host 192.168.0.1
eq bgp
access-list bgpacl extended permit tcp host 192.168.0.1 eq bgp host
200.200.200.1
!
!
tcp-map bgp
tcp-options range 19 19 allow
!
!
class-map bgpmap
match access-list bgpacl
!
policy-map bgptcp
class bgpmap
set connection random-sequence-number disable
set connection advanced-options bgp
!
service-policy bgptcp interface outside
!
</ASA snip>
Mark Snow
CCIE Instructor / Developer - IPexpert, Inc.
CCIE #14073
URL: http://www.IPexpert.com
Toll Free: +1.866.225.8064
International: +1.810.326.1444
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Reddy Ramasani
Sent: Friday, January 26, 2007 3:02 AM
To: gwendel@gregw.biz
Cc: gwendel@gregw.biz; ccielab@groupstudy.com
Subject: Re: getting MD5 BGP to work through ASA 7.2
yes, I can ping. If I remove "neighbor password" my neighbors come up. I can
telnet to port 179. Yes, here's the configuration:
BLUE:
router bgp 1
neighbor 192.168.0.1 remote-as 4
neighbor 192.168.0.1 password cisco
neighbor 192.168.0.1 ebgp-multihop 100
RED:
router bgp 4
neighbor 200.200.200.1 remote-as 1
neighbor 200.200.200.1 password cisco
neighbor 200.200.200.1 ebgp-multihop 100
ASA in the middle:
static (inside,outside) 192.168.0.1 192.168.0.1 netmask 255.255.255.255
norandomseq
nat (inside) 0 0.0.0.0 0.0.0.0
!
access-list OUTSIDE_IN extended permit ip any any
access-group OUTSIDE_IN in interface outside
gwendel@gregw.biz wrote:
couple of questions:
can you ping each peer from each other?
can you telnet to port 179?
can you post a sanitized configuration?
can you try permit tcp any any eq bgp on both interfaces?
I can get you an example of a working config if you need one.
> i actually tried that, and it still doesn't work
>
> gwendel@gregw.biz wrote: You need to use the norandomseq keyword on the
> pix/asa.
>
>> Hi, I'm try setup a BGP neihbor with MD5 password through ASA firewall,
>> and it failing for me.
>>
>> BLUE#
>> 16:44:20: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1(54052) to
>> 200.200.200.1(179)
>>
>> am I doing something wrong?
>>
>> It works good without MD5 and it works if I remove ASA firewall and add
>> MD5 password. I'm going nuts here!!
>>
>> Thanks
>> Reddy
>>
>>
>> ---------------------------------
>> Now that's room service! Choose from over 150,000 hotels
>> in 45,000 destinations on Yahoo! Travel to find your fit.
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
>
>
> ---------------------------------
> Looking for earth-friendly autos?
> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
---------------------------------
Food fight? Enjoy some healthy debate
in the Yahoo! Answers Food & Drink Q&A.
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART