Question:
I'm having an issue setting up Catalyst 3560 Price an eBGP
peering through an ASA in GNS3 (implementing this on my production equipment in
the near future) and can't seem to figure out the problem. If I connect these two routers through the
ASA, the peering fails. If I connect the
two routers directly and change the static routes to point to the new next
hops, it works. So I'm inclined to think
my ASA is preventing the BGP connection from establishing. There are some additional configuration items
in the configs below that aren't necessarily pertinent to this problem, as the
ultimate goal for this project is to setup BGP over GRE over IPsec using a 6500
& ASA on my end, and a router on their end (presumably using VTI ipsec
protection profiles).. but I'm just starting off with getting the BGP peering
up. And I'm not even totally sure if I'm
doing that properly (or if this is possible)..
Unfortunately it's been a little while since I've worked with these
technologies and I'm a bit lost..
Topology: R1 -------------------- ASA
-------------------------- R2
Router1#sh run
Building configuration...
Current configuration : 1788 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 critical
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name lab.local
!
interface Loopback0
ip address 10.217.81.25 255.255.255.248
!
interface Tunnel1
description GRE-TUNNEL-1
ip address 192.168.101.10 255.255.255.252
tunnel source Loopback0
tunnel destination 10.174.171.12
!
interface FastEthernet0/0
ip address 10.217.81.22 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.2 .3
255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 10.2.2 .0
mask 255.255.255.0
neighbor 10.174.171.12 remote-as 1
neighbor 10.174.171.12 ebgp-multihop 25
neighbor 10.174.171.12 update-source
Loopback0
no auto-summary
!
ip route 0.0.0 .0
0.0.0.0 10.217.81.17
ip route 10.174.171.0 255.255.255.0
10.217.81.17
!
!
no ip http server
no ip http secure-server
!
ip access-list standard BGP-ROUTES
permit 0.0.0 .0
!
!
route-map BGP-ROUTES permit 10
match ip address BGP-ROUTES
!
<omitted>
!
!
end
---------------
ASA# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 10.217.81.17 255.255.255.248
!
<omitted>
!
interface GigabitEthernet5
nameif outside
security-level 0
ip address 10.1.1 .1
255.255.255.0
!
ftp mode passive
object network VPN-DYNAMIC-HOSTS
subnet 10.251.0.0 255.255.240.0
object network VPN-STATIC-HOSTS
subnet 10.251.4.0 255.255.255.0
object network obj-10.217.81.25-32
host 10.217.81.25
description Catalyst 6513 Loopback0
object network obj-10.174.171.12-32
host 10.174.171.12
description ISP
access-list VPN-ACL extended permit ip any
10.251.0.0 255.255.240.0
access-list VPN-ACL extended permit tcp
host 10.217.81.25 host 10.174.171.13 eq bgp
access-list VPN-ACL extended permit tcp
host 10.217.81.25 host 10.174.171.12 eq bgp
access-list VPN-ACL extended permit ip any
10.251.4.0 255.255.255.0
access-list inside-out extended permit tcp
any host 10.174.171.12 eq bgp
access-list inside-out extended permit ip
any any
access-list outside-acl extended permit ip
any any
!
tcp-map OPTION-19
tcp-options range 19 19 allow
!
pager lines 24
logging enable
logging buffer-size 10240
logging buffered critical
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside-acl out interface
inside
access-group inside-out out interface
outside
route outside 0.0.0 .0
0.0.0.0 10.1.1.2 1
route inside 10.2.2 .0
255.255.255.0 10.217.81.22 1
route outside 10.174.171.0 255.255.255.0 10.1.1 .2
1
route inside 10.217.80.0 255.255.248.0
10.217.81.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225
1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00
sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth
0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record
DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN-TSET
esp-aes-256 esp-sha-hmac
crypto map outside_map 19 match address
VPN-ACL
crypto map outside_map 19 set peer
10.174.171.12
crypto map outside_map 19 set ikev1
transform-set VPN-TSET
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics
tcp-intercept
tunnel-group 10.174.171.12 type ipsec-l2l
tunnel-group 10.174.171.12 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map BGP
match port tcp eq bgp
class-map INSPECT
match any
!
!
policy-map INSPECT
class INSPECT
inspect icmp
class BGP
set
connection random-sequence-number disable
set
connection advanced-options OPTION-19
!
service-policy INSPECT global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:75f708fe7b6e1e46a7430d709c10b69a
: end
----------------------------
R2#sh run
Building configuration...
Current configuration : 1843 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 critical
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name lab.local
!
crypto keyring kr1
pre-shared-key address 10.217.81.17 key cisco
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
crypto isakmp profile ikp1
keyring kr1
match identity address 10.217.81.17 255.255.255.255
!
!
crypto ipsec transform-set ts1 esp-aes
esp-sha-hmac
!
crypto ipsec profile ip1
set transform-set ts1
set isakmp-profile ikp1
!
!
!
!
!
interface Loopback0
ip address 10.174.171.12 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
ip address 192.168.101.9 255.255.255.252
tunnel source Loopback0
tunnel destination 10.217.81.25
tunnel protection ipsec profile ip1
!
interface FastEthernet0/0
ip address 10.1.1 .2
255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.3 .4
255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 10.3.3 .0
mask 255.255.255.0
neighbor 10.217.81.25 remote-as 2
neighbor 10.217.81.25 ebgp-multihop 25
neighbor 10.217.81.25 update-source
Loopback0
no auto-summary
!
ip route 0.0.0 .0
0.0.0.0 10.1.1.1
ip route 10.217.81.0 255.255.255.0 10.1.1 .1
!
!
no ip http server
no ip http secure-server
!
<omitted>
end
-------------
I have been fiddling with the ACLs and some
other things, but a syslog message that I'm getting on both ends looks like
this (with different IPs based on the router):
*Mar
2 04:50:52.556: BGP: 10.217.81.25 open failed: Connection timed out;
remote host not responding, open active delayed 32705ms (35000ms max, 28%
jitter)
Answer:
There is a lot to look through here. But
one of the things I am noticing is that the ASA is doing an inspect on BGP and
I wonder if that is the issue. As a test, would you be able to remove Catalyst 3560V2 Price the
inspect for BGP from the ASA?
没有评论:
发表评论