Solved

Problem with ASA connection

Posted on 2010-09-20
5
649 Views
Last Modified: 2012-05-10
Hi,
   I am having issue with a new installation of asa 5520. My outside routers
are running bgp the bgp traffic from my outside routers goes through my production firewall to vlan hosting the routers to the dr site then out to the dr to the dr routers who are part of the bgp process. So basically the bgp protocol traffic goes through the production firewall i am getting the following error

The traffic is been blocked

2              Sep 20 2010      10:21:34      106001      192.63.0.2      11271      192.63.128.2      179      Inbound TCP connection denied from 192.63.0.2/11271 to 192.63.128.2/179 flags SYN  on interface OUTSIDE

looks to me like a simple allow rule to me . I have gone as far as allowing ip any any on the outside interface still not working .

ANy ideas If i do not get them up soon i am going have to roll back so any help would be greatly appreciated.

Thks,
0
Comment
Question by:BarepAssets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 33715109
You need to take a look at http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml.

You have to explicitly permit tcp 179 from the outside, but if you're doing MD5 it gets more complicated, and
you also have to disable the random sequencing of the BGP connection.  In older code you did this by using the "norandomseq" parameter on a static NAT config:

static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255 norandomseq

With ASA 7.x code and later, you handle this a different way, shown at the bottom of the link I sent you.
0
 

Author Comment

by:BarepAssets
ID: 33716915
thanx jmeggers

i have tried the above still not working  the following is the code i have successifully put into to the config of the asa i am on ios 8.3.2(1)

access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.3 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.128.2 host 192.63.0.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.2 host 192.63.128.2 eq bgp
access-list BGP-MD5-ACL extended permit tcp host 192.63.0.3 host 192.63.128.2 eq bgp
!
tcp-map BGP-MD5-OPTION-ALLOW
  tcp-options range 19 19 allow


class-map CLASS-BGP-MD5
 match access-list BGP-MD5-ACL
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
 class CLASS-BGP-MD5
  set connection random-sequence-number disable
  set connection advanced-options BGP-MD5-OPTION-ALLOW
!
service-policy global_policy global

is the access-list for the outside interface allowing is also been put in
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33721366
Unfortunately I haven't worked with 8.3 code yet, so I'm at a disadvantage here. I know 8.3 introduced changes in how NAT is handled, but from the config you show, it looks like you're not doing NAT.  Can I assume the ASA is in routed (layer 3) mode?  I have to go now, will try to find some more pointers on troubleshooting when I get back.
0
 

Author Comment

by:BarepAssets
ID: 33721433
cheers jmeggers i resolved the 2nd part of it basically it was same-security interface we have additional vlan connected to firewall with the router to the dr site  these were set to the same security level i will give you the full points as i think would have ran into issue not having added the bgp md5 policy map anyway think was two fold solutiion yes  nat has changed loads :( found this part of the upgrade hardest just trying get use to the new nat will just takes some getting use to thx again for your help
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33723794
That's a perfect example of why attaching only portions of the config doesn't always help.  I probably wouldn't have thought to ask that question unless I could see all the configuration.  Good job on solving the problem, though.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question