Hi,
I read some
interesting article about the issue you will face when you have an ASA
firewall between two Cisco routers that are peering in eBGP and the MD5
used to secure the peering process.
I will be posting in my labbing results and findings during this and the small topology I used EVE-NG community to implement.
the picture below explains some of the configs:
I will be posting in my labbing results and findings during this and the small topology I used EVE-NG community to implement.
R1<<<< ASA >>>> R2
you will need to configure the ASA interfaces as below:
G0/0 (ip address and nameif)
G0/1 (ip address and nameif)
then configure both routers interfaces and ping to make sure ASA is reachable.
once EIGRP completed its adjacency you will see R2 and R1 networks but they will not have reachability between them, so you will need to add ICMP into ASA firewall inspection:
class inspection_default
inspect icmp
after this, you will have reachability between R1 loopback0 to R2 loopback0, here we start configuring eBGP:
R2:
router bgp 222
bgp log-neighbor-changes
network 200.200.200.200 mask 255.255.255.255
neighbor 1.1.1.1 remote-as 111
neighbor 1.1.1.1 password 12345
neighbor 1.1.1.1 disable-connected-check
neighbor 1.1.1.1 update-source Loopback0
R1:
router bgp 111
bgp log-neighbor-changes
network 100.100.100.100 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 222
neighbor 2.2.2.2 password 12345
neighbor 2.2.2.2 disable-connected-check
neighbor 2.2.2.2 update-source Loopback0
Note:
I have created two more loopbacks 100 and 200 in both R1 and R2 and
advertised over BGP only, and disabled directly connected check on BGP.
you will see the session comes UP and prefixes appear in both BGP RIB tables.
However, once you add password authentication under BGP, you will start seeing the below logs:
R2(config-router)#
*Sep 11 08:54:44.093: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:46.098: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:50.106: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
and the BGP session will e lost.
the
reason for this is that, BGP is uses TCP 179 protocol, which is fine,
but once authentication is used with MD5, ASA will strip the
authentication which is TCP option 19
and the routers will not see the MD5 coming with connection attempt, so you will need to add the following part on the Cisco ASA:
1.first you need to create an extended ACL to match the traffic between the BGP routers
access-list bgp extended permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
access-list bgp extended permit tcp host 2.2.2.2 host 1.1.1.1 eq bgp
2.create TCP map to allow option 19
tcp-map allow-tcp-19
tcp-options range 19 19 allow
3.use the global policy map to match the class map BGP that we created to match traffic and apply our settings:
policy-map global_policy
class-map BGP
match access-list bgp
class BGP
set connection random-sequence-number disable
set connection advanced-options allow-tcp-19
after this is done, you will ge the bgp session UP again!
R2#
*Sep 11 09:14:59.477: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 active reset (BGP Notification sent)
*Sep 11 09:14:59.477: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
R2#
I hope this was useful!
I will upload the EVE-NG lab export
Thanks,
you will need to configure the ASA interfaces as below:
G0/0 (ip address and nameif)
G0/1 (ip address and nameif)
then configure both routers interfaces and ping to make sure ASA is reachable.
once EIGRP completed its adjacency you will see R2 and R1 networks but they will not have reachability between them, so you will need to add ICMP into ASA firewall inspection:
class inspection_default
inspect icmp
R2:
router bgp 222
bgp log-neighbor-changes
network 200.200.200.200 mask 255.255.255.255
neighbor 1.1.1.1 remote-as 111
neighbor 1.1.1.1 password 12345
neighbor 1.1.1.1 disable-connected-check
neighbor 1.1.1.1 update-source Loopback0
router bgp 111
bgp log-neighbor-changes
network 100.100.100.100 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 222
neighbor 2.2.2.2 password 12345
neighbor 2.2.2.2 disable-connected-check
neighbor 2.2.2.2 update-source Loopback0
you will see the session comes UP and prefixes appear in both BGP RIB tables.
R2(config-router)#
*Sep 11 08:54:44.093: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:46.098: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:50.106: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
and the BGP session will e lost.
and the routers will not see the MD5 coming with connection attempt, so you will need to add the following part on the Cisco ASA:
access-list bgp extended permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
access-list bgp extended permit tcp host 2.2.2.2 host 1.1.1.1 eq bgp
2.create TCP map to allow option 19
tcp-map allow-tcp-19
tcp-options range 19 19 allow
3.use the global policy map to match the class map BGP that we created to match traffic and apply our settings:
policy-map global_policy
match access-list bgp
class BGP
set connection random-sequence-number disable
set connection advanced-options allow-tcp-19
*Sep 11 09:14:59.477: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 active reset (BGP Notification sent)
*Sep 11 09:14:59.477: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
R2#
