If you are attempting to pass BGP updates through your ASA/PIX with 7.0/8.0 code you need to be aware that BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options you must create a TCP map and apply it using the service policy command. Here is an example:
tcp-map MD5-BGP
tcp-options range 19 19 allow
class-map CLASS-MD5-BGP
match port tcp eq 179
policy-map global_policy
class CLASS-MD5-BGP
set connection advanced-options MD5-BGP
set connection random-sequence-number disable
Also note that randomization of TCP sequence numbers must be disabled. This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF and apply it via the policy-map. Also the addresses of the devices running BGP cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header; so none of that information can be changed.
No comments:
Post a Comment