Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / How to Pass BGP Sessions through Cisco ASA Firewall (BGP Pass Through)

How to Pass BGP Sessions through Cisco ASA Firewall (BGP Pass Through)

Written By Harris Andrea

The following article describes the proper way to allow BGP sessions between two routers to pass through a Cisco ASA firewall appliance.

Especially if the BGP configuration between the two routers uses MD5 authentication (which is a good security practice), you need some special “treatment” on this session in order to pass it successfully through an ASA device.

By default, the Cisco ASA does TCP Sequence Number Randomization to every session passing through it.

Also, the ASA will strip TCP option 19 by default. This TCP option (defined by RFC 2385) is a TCP extension to enhance security for BGP when using MD5 authentication.

The two actions above will cause problems to a BGP session when passing through the ASA and therefore we need to disable them.

bgp through asa

From the diagram above, first we need to match the BGP traffic between R1 and R2 using an Access Control List.

Then we must create a TCP Map that allows TCP Option 19 and also disable the TCP Sequence Number Randomization for this specific BGP traffic class.

MORE READING:  ASA Firewall NAT Control Feature

Step1:

Match the BGP traffic with an ACL:

access-list bgp-traffic extended permit tcp host 10.1.1.1 host 10.2.2.2 eq bgp
access-list bgp-traffic extended permit tcp host 10.2.2.2 host 10.1.1.1 eq bgp

Step2:

Allow TCP option 19 with a TCP Map.

tcp-map ALLOW-TCP-19
   tcp-options range 19 19 allow

Step3:

Create a class map to match the BGP Traffic using the ACL above.

class-map BGP-CLASS
     match access-list bgp-traffic

Step4:

Use the Global Policy to apply all the actions:

policy-map global_policy
class BGP-CLASS
  set connection random-sequence-number disable
  set connection advanced-options ALLOW-TCP-19

What is TCP Option 19

This is a TCP extension used to carry an MD5 digest in a TCP segment, thus allowing BGP to work securely with MD5 and enhance its security.

The Cisco ASA firewall removes this TCP option from packets thus creates a problem in BGP sessions between two end-points that use MD5 authentication in BGP.

Related Posts

  • Prevent Spoofing Attacks on Cisco ASA using RPF
  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares