ASA – BGP PASS THROUGH

BGP, FIREWALL, PROTOCOLS, ROUTING, SECURITY, WAN

Design considerations

If, by design, security policy dictates extra perimeter of defense in the form of the firewall, but at the same time, your network requires to run some sort of the dynamic protocol, i.e. BGP, it is by all means possible, however requires extra tweaking.

Let’s assume the scenario when two companies merge together via external BGP of their associated AS numbers and the traffic and policy restrictions are physically forced via i.e. Cisco ASA firewall.

BPG via ASA

 

In such situation, since we are dealing with two totally separate subnets, we need to establish some sort of the L3 reachability first. Next steps can be break into two ways, dependent on the design:

1. NAT based non-MD5 authenticated BGP session – we create static NAT on the ASA to map internal eBGP peer IP address to the real IP address of the router and we configure eBGP session to the mapped address. It is important to remember that in this case MD5 password established authentication fails. By default, ASA appliance randomizes TCP sequence numbers which are essentially required to not be tampered during MD5 authentication process. The firewall can be tweaked with additional configuration which is a purpose of this lab later on. However, this is still not enough as the NAT on ASA further discourages the process and fails breaking the authentication process. Therefore option 1 is only viable for non-authenticated BGP sessions. This leads us to the option 2.

2. Non-NAT based MD5 authenticated BGP – we create the NAT exemption allowing the traffic to pass via the ASA without IP address modification. This obviously should preserve authentication sequencing and can be run over the VPN, but requires extra NAT manipulation and overhead.

Let’s explore the configuration in more detail.

 

Option 1

Left router:

router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 192.168.2.2 remote-as 65002
neighbor 192.168.2.2 ebgp-multihop 2
no auto-summary

 

Right router:

router bgp 65002
no synchronization
bgp log-neighbor-changes
neighbor 192.168.2.3 remote-as 65001
neighbor 192.168.2.3 ebgp-multihop 2
no auto-summary

Local AS number is 65001 peers with the AS 65002. IP addressing information is derived from the previous article: http://www.4pronetworks.co.uk/blog/ikev2/.

The idea behind the multi-hop number is the fact that ASA is considered an extra hop in the path. Verification with traceroute is one way to prove it: http://www.4pronetworks.co.uk/blog/asa-traceroute/. the mirrored logic applies to the right router.

 

ASA:

access-list BGP extended permit tcp any any eq bgp 
access-group BGP in interface outside
access-group BGP out interface outside
access-group BGP in interface inside
access-group BGP out interface inside
!
object network 192.168.2.3
host 192.168.2.3
!
object network 192.168.1.2 
host 192.168.1.2
nat (inside,outside) static 192.168.2.3
!
ip route 192.168.2.2 255.255.255.255 192.168.1.1

First, the ASA requires an access-list to allow TCP BGP traffic. Next we define new object NAT to map real IP to external /24 spare IP address. Also the more specific route (than default 0.0.0.0) is required for TCP session to establish otherwise BGP process will throw the error.

 

Testing:

sh ip bgp summ
BGP router identifier 192.168.1.2, local AS number 65001 
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.2 4 65002 39 44 1 0 0 00:00:15 0

 

Wireshark capture representing the BGP session establishment stages:
BGP via ASA wireshark

 

Option 2

The ASA tweaks require the following configuration snippet to first allow the NAT exempt so the NAT process does not break MD5 authentication and then ASA-specific TCP options and class/policy maps:

nat (inside,outside) source static 192.168.1.2 192.168.1.2 destination static 192.168.2.2 192.168.2.2 no-proxy-arp route-lookup
!
class-map CM-BGP 
match port tcp eq bgp 
!
policy-map global_policy 
 class CM-BGP 
  set connection random-sequence-number disable 
  set connection advanced-options BGP
!
service-policy global_policy global

 

Of course there is no MD5 authentication without configuring it under BGP process on the routers, so:

Left router:

router bgp 65001
neighbor 192.168.2.2 password password

 

Right router:

router bgp 65002
neighbor 192.168.1.2 password password
!
ip route 192.168.1.2 255.255.255.255 192.168.2.1

Right router was re-pointed to the real Inside IP address along with the required static route for L3 reachability. Worth point to remember is to avoid static routes to overlap with other local networks. Being as specific as possible /32 is always a good design practice.

 

Final testing:

sh ip bgp summ
BGP router identifier 192.168.1.2, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.2 4 65002 4 4 1 0 0 00:00:03 0

sh ip bgp neighbors 192.168.2.2
BGP neighbor is 192.168.2.2, remote AS 65002, external link
BGP version 4, remote router ID 192.168.2.2
BGP state = Established, up for 00:05:02
Last read 00:00:29, last write 00:00:26, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Enhanced Refresh Capability: advertised and received
Multisession Capability:
Stateful switchover support enabled: NO for session 1
Message statistics:
InQ depth is 0
OutQ depth is 0

Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 1 1
Keepalives: 7 7
Route Refresh: 0 0
Total: 9 9
Default minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast
Session: 192.168.2.2
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 2, Advertise bit 0
2 update-group member
Slow-peer detection is disabled
Slow-peer split-update-group dynamic is disabled
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0

Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Last detected as dynamic slow peer: never
Dynamic slow peer recovered: never
Refresh Epoch: 1
Last Sent Refresh Start-of-rib: never
Last Sent Refresh End-of-rib: never
Last Received Refresh Start-of-rib: never
Last Received Refresh End-of-rib: never
Sent Rcvd
Refresh activity: ---- ----
Refresh Start-of-RIB 0 0
Refresh End-of-RIB 0 0

Address tracking is enabled, the RIB does have a route to 192.168.2.2
Connections established 2; dropped 1
Last reset 00:05:02, due to User reset of session 1
External BGP neighbor may be up to 2 hops away.
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
TCP session must be opened actively
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Mininum incoming TTL 0, Outgoing TTL 2
Local host: 192.168.1.2, Local port: 52090
 Foreign host: 192.168.2.2, Foreign port: 179
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x2143E8):
Timer Starts Wakeups Next
Retrans 9 0 0x0
TimeWait 0 0 0x0
AckHold 7 6 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 1 0 0x25CDE8
DeadWait 0 0 0x0
Linger 0 0 0x0

iss: 790103006 snduna: 790103220 sndnxt: 790103220 sndwnd: 16171
irs: 2133901401 rcvnxt: 2133901615 rcvwnd: 16171 delrcvwnd: 213

SRTT: 210 ms, RTTO: 904 ms, RTV: 694 ms, KRTT: 0 ms
minRTT: 16 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: none
Option Flags: higher precendence, nagle, path mtu capable, md5

Datagrams (max data segment is 1380 bytes):
Rcvd: 16 (out of order: 0), with data: 9, total data bytes: 213
Sent: 17 (retransmit: 0 fastretransmit: 0),with data: 9, total data bytes: 213