Author: Samer R Saleem
We have the following scenario where BGP traffic between routers going through an ASA firewall will face a problem if you have an ASA in the middle of two BGP routers trying to peer and they both are using MD5 authentication.
We will create a lab and solve the issue on the firewall by allowing BGP to authenticate and form peering session between the routers, I will be posting in my labbing results and findings during this and the small topology I used EVE-NG community to simulate this case.
The diagram below is self-explanatory, two routers on the sides and an ASA in between, ip addresses are 192.168.1.0/24 on the left and 12.0.0.0/24 on the right side.
AS111 on R1 and AS222 on R2
you will need to configure the ASA interfaces as below:
G0/0 (ip address and nameif) which is as in the diagram above
G0/1 (ip address and nameif)which is as in the diagram above
Then configure both routers interfaces and ping to make sure ASA is reachable.
To provide reachability I will be using EIGRP and once completed its adjacency process you will see R2 and R1 networks but they will not have reachability between them, so you will need to add ICMP into ASA firewall inspection:
#class inspection_default
#inspect icmp
After this, you will have reachability between R1 loopback0 to R2 loopback0, here we start configuring eBGP:
R2:
router bgp 222
bgp log-neighbor-changes
network 200.200.200.200 mask 255.255.255.255
neighbor 1.1.1.1 remote-as 111
neighbor 1.1.1.1 password 12345
neighbor 1.1.1.1 disable-connected-check
neighbor 1.1.1.1 update-source Loopback0
R1:
router bgp 111
bgp log-neighbor-changes
network 100.100.100.100 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 222
neighbor 2.2.2.2 password 12345
neighbor 2.2.2.2 disable-connected-check
neighbor 2.2.2.2 update-source Loopback0
Note: I have created two more loopbacks 100 and 200 in both R1 and R2 and advertised over BGP only, and disabled directly connected check on BGP.
You will see the session comes UP and prefixes appear in both BGP RIB tables.
However, once you add password authentication under BGP, you will start seeing the below logs:
R2(config-router)#
*Sep 11 08:54:44.093: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:46.098: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
R2(config-router)#
*Sep 11 08:54:50.106: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(36963) to 2.2.2.2(179) tableid - 0
And now the BGP session is lost.
Diagnoses and Solution:
the reason for this is that, BGP is uses TCP 179 protocol, which is fine, but once authentication is used with MD5, ASA will strip the authentication which is TCP option 19
And the routers will not see the MD5 coming with connection attempt because it's being filtered by the firewall, so you will need to add the following part on the Cisco ASA:
1.first you need to create an extended ACL to match the traffic between the BGP routers
access-list bgp extended permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
access-list bgp extended permit tcp host 2.2.2.2 host 1.1.1.1 eq bgp
2.create TCP map to allow option 19
tcp-map allow-tcp-19
tcp-options range 19 19 allow
3.use the global policy map to match the class map BGP that we created to match traffic and apply our settings:
policy-map global_policy
class-map BGP
match access-list bgp
class BGP
set connection random-sequence-number disable
set connection advanced-options allow-tcp-19
After this is done, you will see the bgp session UP again!
Check the logs again:
R2#
*Sep 11 09:14:59.477: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 active reset (BGP Notification sent)
*Sep 11 09:14:59.477: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
R2#
RFC about Protection of BGP Sessions via the TCP MD5 Signature Option
https://www.ietf.org/rfc/rfc2385.txt
To download the lab go to my post on Cisco learning Network you will find as a zip attached:
I hope this was useful!
Samer R. Saleem
No comments:
Post a Comment