BGP Through an ASA with Authentication

By default, the ASA will strip TCP option 19 causing MD5 authentication for BGP to fail. In addition, the ASA randomizes the TCP sequence numbers, which also breaks things. To fix this:

tcp-map BGP_FIX
  tcp-options range 19 19 allow
!
access-list BGP permit tcp any any eq 179
!
class BGP
  match access-list BGP
  !! could also use match protocol tcp eq bgp
!
policy-map global_policy
  class BGP
    set connection advanced-options BGP_FIX
    set connection random-sequence-number disable
!

Posted in ASA, BGP, CCIE, CCIE Security.

No comments

By blanders – July 12, 2009

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

« ASA Authentication Proxy with ACS ASA URL filtering with MPF »

Cisco Catalyst 6500 Architecture White Paper
The official source for Cat6k architecture and design questions.
Notes on Cisco Catalyst 6500 architecture
High-level overview of the various backplane and fabric options in the Cat6k.
Extracting a 3DES key from an IBM 4758
Software-based attack for stealing the crypto keys from a tamper-resistant IBM crypto processor.
PowerCLI: Changing a VM IP Address with Invoke-VMScript
How to update the IP address of a Windows VM programatically using the PowerShell-based PowerCLI.
Auto-configure Linux vmware-tools at Boot time
Bash initscript to ensure your vmware tools get reconfigured when the kernel is upgraded. Could use a tweak to not run on a non-VM host.
Upgrade SQL Express to Standard or Enterprise
This will come in handy if you start out with vCenter running on the included SQL Express server and later outgrow it.
VMware Virtual Center Attributes – It’s all about the details
Covers a lesser-known but VERY useful feature in vCenter for adding metadata to virtual machines.
VMFS or NFS
Performance and other considerations when choosing a storage architecture for vSphere. Also touches on FC vs. iSCSI/NFS.
Designing Secure Multi-Tenancy into Virtualized Data Centers
Cisco Validated Design for the just-announced VMware/NetApp reference architecture.
Cisco Internal WAAS Implementation
High-level overview of Cisco IT's WAAS rollout to 200+ remote offices. The resulting CIFS optimization lead them to massivly consolidate file services to regional hubs.
The Great vSwitch Debate
Outstanding 8-part coverage of vSwitches and potential VMware network designs.
Cisco Data Center Interconnect Design and Implementation Guide
(PDF) Describes a portion of Cisco’s system for interconnecting multiple data centers for Layer 2-based business applications. Covers VSS and vPC.
Linux performance basics
Good, quick introduction to vmstat, iostat, and top for checking Linux performance stats.
vSphere 4.0 Hardening Guide Public Draft Released
Multi-PDF guide/checklist for securing vSphere in enterprise, DMZ, and special-access environments.
vSphere Host Died Abandon Ship!
Adding vSphere vCenter Alarms & Actions. How to automatically move your VMs off a dying host.

Proudly powered by WordPress and Carrington.

BGP Through an ASA with Authentication

0 Responses

About Packetslave Industries

Archives

Meta

Delicious Bookmarks