BGP Session Through Cisco ASA Configuration study guide tutorial

12:08:00 PM    No comments

You can configure MD5 authentication between two BGP peers, which means that each segment sent on the TCP connection between the peers is verified. MD5 authentication must be configured with the same password on both BGP peers; otherwise, the connection between them will not be made. The configuration of MD5 authentication causes Cisco IOS software to generate and check the MD5 digest of every segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, then an error message will be displayed in the console.
When you are configuring BGP peers with MD5 authentication that pass through a PIX firewall, it is important to configure the PIX between the BGP neighbors so that the sequence numbers for the TCP flows between the BGP neighbors are not random. This is because the TCP random sequence number feature on the PIX firewall is enabled by default, and it changes the TCP sequence number of the incoming packets before it forwards them.
MD5 authentication is applied on the TCP psuedo-IP header, TCP header and data (refer to RFC 2385). TCP uses this data—which includes the TCP sequence and ACK numbers—along with the BGP neighbor password to create a 128 bit hash number. The hash number is included in the packet in a TCP header option field. By default, the PIX offsets the sequence number by a random number, per TCP flow. On the sending BGP peer, TCP uses the original sequence number to create the 128 bit MD5 hash number and includes this hash number in the packet. When the receiving BGP peer gets the packet, TCP uses the PIX-modified sequence number to create a 128 bit MD5 hash number and compares it to the hash number that is included in the packet.
The hash number is different because the TCP sequence value was changed by the PIX, and TCP on the BGP neighbor drops the packet and logs an MD5 failed message.
R2–65.1.200.2—–ASA——-65.1.4.4—–R4
ASA CONFIGURATION: (extra norandomseq)
access-list OUTSIDE extended permit tcp any any eq bgp log
tcp-map BGP
tcp-options range 19 19 allow
static (inside,outside) 65.1.4.2 65.1.200.2 netmask 255.255.255.255 norandomseq
static (outside,inside) 65.1.200.4 65.1.4.4 netmask 255.255.255.255 norandomseq
access-group OUTSIDE in interface outside
class-map BGP
match port tcp eq bgp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class BGP
set connection random-sequence-number disable
set connection advanced-options BGP
service-policy global_policy global
The BGP session is fine without password. As soon as enter the command neighbor x.x.x.x password cisco, thing not working.
DEBUG IP TCP TRANSACTION ON ROUTER:
*Jul 2 04:56:53.451: BGP: 65.1.4.2 open active, local address 65.1.4.4
*Jul 2 04:56:53.451: TCB66151E74 created
*Jul 2 04:56:53.451: TCB66151E74 setting property TCP_WINDOW_SIZE (0) 6615C160
*Jul 2 04:56:53.451: TCB66151E74 setting property TCP_MD5KEY (5) 66002A00
*Jul 2 04:56:53.451: TCB66151E74 setting property TCP_TOS (11) 6615C140
*Jul 2 04:56:53.451: TCB66151E74 setting property TCP_OUT_TTL (24) 66150EFA
*Jul 2 04:56:53.451: TCP: Random local port generated 27487, network 0
*Jul 2 04:56:53.451: TCB66151E74 bound to 65.1.4.4.27487
*Jul 2 04:56:53.451: Reserved port 27487 in Transport Port Agent for TCP IP type 1
*Jul 2 04:56:53.451: TCP: sending SYN, seq 1925459762, ack 0
*Jul 2 04:56:53.451: TCP0: Connection to 65.1.4.2:179, advertising MSS 1440
*Jul 2 04:56:53.451: TCP0: state was CLOSED -> SYNSENT [27487 -> 65.1.4.2(179)]
*Jul 2 04:56:55.451: 65.1.4.4:27487 <—> 65.1.4.2:179 congestion window changes
*Jul 2 04:56:55.451: cwnd from 1440 to 1440, ssthresh from 65535 to 2880
*Jul 2 04:56:55.451: TCP0: timeout #1 - timeout is 4000 ms, seq 1925459762
*Jul 2 04:56:55.451: TCP: (27487) -> 65.1.4.2(179)
*Jul 2 04:56:59.451: TCP0: timeout #2 - timeout is 8000 ms, seq 1925459762
*Jul 2 04:56:59.451: TCP: (27487) -> 65.1.4.2(179)
*Jul 2 04:57:00.907: %TCP-6-BADAUTH: Invalid MD5 digest from 65.1.4.2(12644) to 65.1.4.4(179)
*Jul 2 04:57:00.907: TCP0: bad seg from 65.1.4.2 — Invalid MD5 string: port 179 seq 1857634658 ack 0 rcvnxt 0 rcvwnd 16384 len 0
*Jul 2 04:57:07.451: TCP: (27487) -> 65.1.4.2(179)
*Jul 2 04:57:23.451: TCP0: state was SYNSENT -> CLOSED [27487 ->65.1.4.2(179)]
*Jul 2 04:57:23.451: Released port 27487 in Transport Port Agent for TCP IP type 1 delay 240000
*Jul 2 04:57:23.451: TCB 0×66151E74 destroyed
*Jul 2 04:57:23.451: BGP: 65.1.4.2 open failed: Connection timed out; remote host not responding, open active delayed 29552ms (35000ms max, 28% jitter)
The right way is not to NAT! Use static identity NAT or no nat-control.
access-list BGP-MD5-ACL remark *** Allow BGP MD5 Authentication ****
access-list BGP-MD5-ACL permit tcp host 172.16.13.4 host 172.16.11.1 eq bgp
!— Access list allows BGP traffic to pass from outside to inside.
access-group BGP-MD5-ACL in interface outside
tcp-map BGP-MD5
tcp-options range 19 19 allow
!
class-map BGP-MD5-CLASSMAP
match access-list BGP-MD5-ACL
!
policy-map global_policy
class BGP-MD5-CLASSMAP
set connection advanced-options BGP-MD5
set connection random-sequence-number disable
service-policy global_policy global
Network Bulls
Best Institute for CCNA CCNP CCSP CCIP CCIE R&S, CCIE Security Training in India www.networkbulls.com M-44, Old Dlf, Sector-14 Gurgaon, Haryana, india

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About US

Network Bulls is Best Institute for Cisco CCNA, CCNA Security, CCNA Voice, CCNP, CCNP Security, CCNP Voice, CCIP, CCIE RS, CCIE Security Version 4 and CCIE Voice Certification courses in India. Network Bulls is a complete Cisco Certification Training and Course Coaching Institute in Gurgaon/Delhi NCR region in India. Network Bulls has Biggest Cisco Training labs in India. Network Bulls offers all Cisco courses on Real Cisco Devices. Network Bulls has Biggest Team of CCIE Trainers in North India, with more than 90% of passing rate in First Attempt for CCIE Security Version 4 candidates.
  • Biggest Cisco Training Labs in India
  • More than 90% Passing Rate in First Attempt
  • CCIE Certified Trainers for All courses
  • 24x7 Lab Facility
  • 100% Job Guaranteed Courses
  • Awarded as Best Network Security Institute in 2011 by Times
  • Only Institute in India, to provide CCIE Security Version 4.0 Training
  • CCIE Security Version 4 Training available
  • Latest equipments available for CCIE Security Version 4

Network Bulls Institute Gurgaon

Network Bulls Institute in Gurgaon is one of the best Cisco Certifications Training Centers in India. Network Bulls has Biggest Networking Training and Networking courses labs in North India. Network Bulls is offering Cisco Training courses on real Cisco Routers and Switches. Labs of Network Bulls Institute are 24x7 Available. There are many coaching Centers in Delhi, Gurgaon, Chandigarh, Jaipur, Surat, Mumbai, Bangalore, Hyderabad and Chennai, who are offering Cisco courses, but very few institutes out of that big list are offering Cisco Networking Training on real Cisco devices, with Live Projects. Network Bulls is not just an institute. Network Bulls is a Networking and Network Security Training and consultancy company, which is offering Cisco certifications Training as well support too. NB is awarded in January 2012, by Times, as Best Network Security and Cisco Training Institute for the year 2011. Network Bulls is also offering Summer Training in Gurgaon and Delhi. Network Bulls has collaboration with IT companies, from which Network Bulls is offering Networking courses in Summer Training and Industrial Training of Btech BE BCA MCA students on real Live projects. Job Oriented Training and Industrial Training on Live projects is also offered by network bulls in Gurgaon and Delhi NCR region. Network Bulls is also providing Cisco Networking Trainings to Corporates of Delhi, Gurgaon, bangalore, Jaipur, Nigeria, Chandigarh, Mohali, Haryana, Punjab, Bhiwani, Ambala, Chennai, Hyderabad.
Cisco Certification Exams are also conducted by Network Bulls in its Gurgaon Branch.
Network Bulls don't provide any Cisco CCNA, CCNP simulations for practice. They Provide High End Trainings on Real topologies for high tech troubleshooting on real Networks. There is a list of Top and best Training Institutes in India, which are providing CCNA and CCNP courses, but NB has a different image from market. Many students has given me their feedbacks and reviews about Network bulls Institute, but there were no complaints about any fraud from this institute. Network Bulls is such a wonderful place to get trained from Industry expert Trainers, under guidance of CCIE Certified Engineers.

About Blog

This Blog Contains Links shared by sites: Cisco Guides, Dumps collection, Exam collection, Career Cert, Ketam Mehta, GodsComp.co.cc.

NB

NB
Cisco Networking Certifications Training

Cisco Training in Delhi

ccna training in gurgaon. ccnp course institute in gurgaon, ccie coaching and bootcamp training near gurgaon and delhi. best institute of ccna course in delhi gurgaon india. network bulls provides ccna,ccnp,ccsp,ccie course training in gurgaon, new delhi and india. ccsp training new delhi, ccie security bootcamp in delhi.

Testimonials : Network Bulls

My Name is Rohit Sharma and i Have done CCNA and CCNP Training in Gurgaon Center of Network Bulls and it was a great experience for me to study in Network Bulls.

Cisco Networking Certifications

Myself Komal Verma and i took CCSP Training from Network Bulls in Gurgaon. The day i joined Network Bulls, the day i get addicted with Networking Technologies and I thank Mr. Vikas Sheokand for this wonderful session of Networking. :)
I must say that Network Bulls is Best Institute of CCNA CCNP CCSP CCIE Course Training in Gurgaon, New Delhi and in India too.
Komal Verma

About a wonderfull CCIE Training Institute in Gurgaon

I am Kiran shah from New Delhi. I have recently completed my CCNA CCNP & CCIE Training in Gurgaon from Network Bulls and i recommend Network Bulls for Cisco Training in India.

Kiran Shah

Cisco Coaching and Learning Center

Disclaimer: This site does not store any files on its server. I only index and link to content provided by other sites. If you see any file on server that is against copy right you can inform me at (sidd12341 [at] gmail.com). I will delete that materials within two days. This Website is not official Website of any Institute like INE, Network Bulls, IP Expert. Thanks

CCIE Security Version 4

Cisco Finally updated CCIE Security Lab exam blueprint. WSA Ironport and ISE devices are added in CCIE Security Version 4 Lab Exam Syllabus Blueprint. In Updated CCIE Security Version 4 Syllabus blueprint, new technologies like Mobile Security, VoIP Security and IPV6 Security along with Network Security, are added. As in CCIE Security Version 3 blueprint, Cisco had focused on Network Security only, but now as per market demand, Cisco is looking forward to produce Internet gear Security Engineer, not only Network Security engineers.
In CCIE Security Version 4 Bluerpint, Lab Exam is going to be more interested than before. What is Difference in CCIE Security Version 3 and Version 4? Just go through the CCIE Security Version 4 Lab Equipment and Lab Exam Syllabus Blueprints and find out!