If, by design, security policy dictates extra perimeter of defense in the form of the firewall, but at the same time, your network requires to run some sort of the dynamic protocol, i.e. BGP, it is by all means possible, however requires extra tweaking.
Let’s assume the scenario when two companies merge together via external BGP of their associated AS numbers and the traffic and policy restrictions are physically forced via i.e. Cisco ASA firewall.
In such situation, since we are dealing with two totally separate subnets, we need to establish some sort of the L3 reachability first. Next steps can be break into two ways, dependent on the design:
1. NAT based non-MD5 authenticated BGP session – we create static NAT on the ASA to map internal eBGP peer IP address to the real IP address of the router and we configure eBGP session to the mapped address. It is important to remember that in this case MD5 password established authentication fails. By default, ASA appliance randomizes TCP sequence numbers which are essentially required to not be tampered during MD5 authentication process. The firewall can be tweaked with additional configuration which is a purpose of this lab later on. However, this is still not enough as the NAT on ASA further discourages the process and fails breaking the authentication process. Therefore option 1 is only viable for non-authenticated BGP sessions. This leads us to the option 2.
2. Non-NAT based MD5 authenticated BGP – we create the NAT exemption allowing the traffic to pass via the ASA without IP address modification. This obviously should preserve authentication sequencing and can be run over the VPN, but requires extra NAT manipulation and overhead.
Let’s explore the configuration in more detail.
router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 192.168.2.2 remote-as 65002 neighbor 192.168.2.2 ebgp-multihop 2 no auto-summary
router bgp 65002 no synchronization bgp log-neighbor-changes neighbor 192.168.2.3 remote-as 65001 neighbor 192.168.2.3 ebgp-multihop 2 no auto-summary
Local AS number is 65001 peers with the AS 65002. IP addressing information is derived from the previous article: http://www.4pronetworks.co.uk/blog/ikev2/.
The idea behind the multi-hop number is the fact that ASA is considered an extra hop in the path. Verification with traceroute is one way to prove it: http://www.4pronetworks.co.uk/blog/asa-traceroute/. the mirrored logic applies to the right router.
access-list BGP extended permit tcp any any eq bgp access-group BGP in interface outside access-group BGP out interface outside access-group BGP in interface inside access-group BGP out interface inside ! object network 192.168.2.3 host 192.168.2.3 ! object network 192.168.1.2 host 192.168.1.2 nat (inside,outside) static 192.168.2.3 ! ip route 192.168.2.2 255.255.255.255 192.168.1.1
First, the ASA requires an access-list to allow TCP BGP traffic. Next we define new object NAT to map real IP to external /24 spare IP address. Also the more specific route (than default 0.0.0.0) is required for TCP session to establish otherwise BGP process will throw the error.
sh ip bgp summ BGP router identifier 192.168.1.2, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.2.2 4 65002 39 44 1 0 0 00:00:15 0
The ASA tweaks require the following configuration snippet to first allow the NAT exempt so the NAT process does not break MD5 authentication and then ASA-specific TCP options and class/policy maps:
nat (inside,outside) source static 192.168.1.2 192.168.1.2 destination static 192.168.2.2 192.168.2.2 no-proxy-arp route-lookup ! class-map CM-BGP match port tcp eq bgp ! policy-map global_policy class CM-BGP set connection random-sequence-number disable set connection advanced-options BGP ! service-policy global_policy global
Of course there is no MD5 authentication without configuring it under BGP process on the routers, so:
router bgp 65001 neighbor 192.168.2.2 password password
router bgp 65002 neighbor 192.168.1.2 password password ! ip route 192.168.1.2 255.255.255.255 192.168.2.1
Right router was re-pointed to the real Inside IP address along with the required static route for L3 reachability. Worth point to remember is to avoid static routes to overlap with other local networks. Being as specific as possible /32 is always a good design practice.
sh ip bgp summ BGP router identifier 192.168.1.2, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.2.2 4 65002 4 4 1 0 0 00:00:03 0
sh ip bgp neighbors 192.168.2.2 BGP neighbor is 192.168.2.2, remote AS 65002, external link BGP version 4, remote router ID 192.168.2.2 BGP state = Established, up for 00:05:02 Last read 00:00:29, last write 00:00:26, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is not multisession capable (disabled) Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN Capability: advertised and received Address family IPv4 Unicast: advertised and received Enhanced Refresh Capability: advertised and received Multisession Capability: Stateful switchover support enabled: NO for session 1 Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 1 1 Keepalives: 7 7 Route Refresh: 0 0 Total: 9 9 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Session: 192.168.2.2 BGP table version 1, neighbor version 1/0 Output queue size : 0 Index 2, Advertise bit 0 2 update-group member Slow-peer detection is disabled Slow-peer split-update-group dynamic is disabled Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 0 0 Prefixes Total: 0 0 Implicit Withdraw: 0 0 Explicit Withdraw: 0 0 Used as bestpath: n/a 0 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- Total: 0 0 Number of NLRIs in the update sent: max 0, min 0 Last detected as dynamic slow peer: never Dynamic slow peer recovered: never Refresh Epoch: 1 Last Sent Refresh Start-of-rib: never Last Sent Refresh End-of-rib: never Last Received Refresh Start-of-rib: never Last Received Refresh End-of-rib: never Sent Rcvd Refresh activity: ---- ---- Refresh Start-of-RIB 0 0 Refresh End-of-RIB 0 0 Address tracking is enabled, the RIB does have a route to 192.168.2.2 Connections established 2; dropped 1 Last reset 00:05:02, due to User reset of session 1 External BGP neighbor may be up to 2 hops away. Transport(tcp) path-mtu-discovery is enabled Graceful-Restart is disabled TCP session must be opened actively Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled Mininum incoming TTL 0, Outgoing TTL 2 Local host: 192.168.1.2, Local port: 52090 Foreign host: 192.168.2.2, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x2143E8): Timer Starts Wakeups Next Retrans 9 0 0x0 TimeWait 0 0 0x0 AckHold 7 6 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 0 0x25CDE8 DeadWait 0 0 0x0 Linger 0 0 0x0 iss: 790103006 snduna: 790103220 sndnxt: 790103220 sndwnd: 16171 irs: 2133901401 rcvnxt: 2133901615 rcvwnd: 16171 delrcvwnd: 213 SRTT: 210 ms, RTTO: 904 ms, RTV: 694 ms, KRTT: 0 ms minRTT: 16 ms, maxRTT: 300 ms, ACK hold: 200 ms Status Flags: none Option Flags: higher precendence, nagle, path mtu capable, md5 Datagrams (max data segment is 1380 bytes): Rcvd: 16 (out of order: 0), with data: 9, total data bytes: 213 Sent: 17 (retransmit: 0 fastretransmit: 0),with data: 9, total data bytes: 213