CCIE - Internetwork Expert's Online Community

Hello ,

I was reading this document about configuring BGP peering between two routers through an ASA and in that document it says that the IP addresses on devices running BGP should not be NAt'ed. Yet in other places I have read that it can be NAT'ed . What is the correct option and  how would you deal witha situation where only one public IP address is available and BGP peering needs to be setup. The examples in the Cisco link translate the inside IP to itself .

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

Thanks for your help.

Karthik

Technically, there are two scenarios here

1) BGP session with MD5 authentication. You can use static nat that preserves the source IP address and additionally does not randomize TCP sequence numbers. This is due to the MD5 authentication option in TCP header.

2) BGP session w/o authentication. You can change the source IP address using static NAT, but this would require changing BPG next-hop with route-map on the remote endpoint. Though this is a possible scenario, it is usually not needed/recommended, for BGP peering sessions on the network boundary commonly use routable IP addresses.

HTH

Thanks Petr . So you are saying that in a case where there is option but to NAT , then use the static command with the norandomseq keyword. Therefore in a situation where the internal BGP peer Ip address has to be translated to the interface IP address of the ASA i would use the above and it should work yea ?

I will test this out also.

An additional question ... when we create the CLASS in the policy map we use the option " set connection random-sequence-number disable " .. is this related to only the TCP option 19 ( MD5 Authentication ) or does this make the norandomseq command used in the static command redundant.

Thanks again for your reply.

From the first question I think what Petr is saying is that NAT, Randomisation and clearing option 19 are only destructive factors (besides the change in config you need for BGP peer addresses) when authentication is involved as the peer ip/sequence number/and option 19 itself are all involved in the MD5 hash process. So you can NAT when auth. is not involved and you don't need to disable sequence randomization, but when it is enabled you can't. I could be wrong on this but that is my understanding of it.

Your class is matching BGP itself and not the TCP-MAP so (to my understanding anyway)  the policy, incl. disabling randomisation, is applied to all BGP traffic passing through the device. So you don't need to set it in your Nat options for the host as all you are really interested in preserving here are the details on the BGP packets.

Thanks for the reply Ahriakin. I set it up and it works exactly as the Cisco document suggests. Petr and you are right in saying that none of the TCP MAP, randomisation is required when no authentication is involved but all of the above is required when MD5 is involved.

However , what happens if you have a situation when MD5 needs to be used and only one public IP is available. Do we simply say in a real life situation that it is not possible to do this ( because of the inability to NAT ) ???

Just curious. I got the BGP peering to work with and without MD5 as per the cisco document.

I'm pretty sure in that situation you are indeed hosed, no way around the address being part of that MD5 hash. The only other workaround I can think of would be VPN'ing between the peer segments but that's obviously of limited use, and then of no use at all when trying to connect with a public peer. But I'm only speaking from theory here so aybe someone out there has a Ninja trick to get around it