eoghan30
Technical User
- Sep 20, 2010
- 1
Hi,
I am having issue with my new implemented asa 5520 the bgp traffic from my production routers traverse this firewall and goes to the dr site. This is been blocked.
2 Sep 20 2010 10:21:34 106001 192.63.0.2 11271 192.63.128.2 179 Inbound TCP connection denied from 192.63.0.2/11271 to 192.63.128.2/179 flags SYN on interface OUTSIDE
from reading up on it appears to me to be a problem with bgp md5 authenication and random sequencing i have disabled random sequencing with the following
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.3 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.2 host 192.63.128.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.3 host 192.63.128.2 eq bgp
!
tcp-map BGP-MD5-OPTION-ALLOW
tcp-options range 19 19 allow
class-map CLASS-BGP-MD5
match access-list BGP-MD5-ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class CLASS-BGP-MD5
set connection random-sequence-number disable
set connection advanced-options BGP-MD5-OPTION-ALLOW
!
service-policy global_policy global
also there is an access-list for the outside interface specfically allowing bgp
but it is still blocking with the same log anyone got any ideas i will have to roll back to my pix if i do not get it going soon
I am having issue with my new implemented asa 5520 the bgp traffic from my production routers traverse this firewall and goes to the dr site. This is been blocked.
2 Sep 20 2010 10:21:34 106001 192.63.0.2 11271 192.63.128.2 179 Inbound TCP connection denied from 192.63.0.2/11271 to 192.63.128.2/179 flags SYN on interface OUTSIDE
from reading up on it appears to me to be a problem with bgp md5 authenication and random sequencing i have disabled random sequencing with the following
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.3 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.2 host 192.63.128.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.3 host 192.63.128.2 eq bgp
!
tcp-map BGP-MD5-OPTION-ALLOW
tcp-options range 19 19 allow
class-map CLASS-BGP-MD5
match access-list BGP-MD5-ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class CLASS-BGP-MD5
set connection random-sequence-number disable
set connection advanced-options BGP-MD5-OPTION-ALLOW
!
service-policy global_policy global
also there is an access-list for the outside interface specfically allowing bgp
but it is still blocking with the same log anyone got any ideas i will have to roll back to my pix if i do not get it going soon