Just last week I saw a case where TCP port 179 was open to the remote
peer, but no other ports, including those above 1024. This created a
situation where one side was initiating the session and the other side,
seeing the attempt to start a session, would promptly answer. The
answer would be blocked and the session never came up. Only when the
peer was cleared on the remote side and *that* side tried to initiate
the session would it come up correctly.
To alleviate the problem, I added a "permit ip
established" to the access list. This would allow the
remote side to successfully answer the local router's attempt to start a
session.
In a roundabout way, that is at least a little bit relevant to your
situation.
HTH,
John
>>> "W. Alan Robertson" 7/30/01 7:35:40 PM
>>>
John,
Not to the best of my knowledge... The way I understand it, after
you've got each router configured, they will each periodically attempt
to bring up the session. This session is like any other normal TCP
session.
The initiator uses an arbitrary port above 1024 to originate, and
attempts to connect to the other router on well-known port 179. All
traffic will flow across this connection.
Alan
----- Original Message -----
From: "John Abruzzese"
To: "W. Alan Robertson" ;
Sent: Tuesday, July 31, 2001 3:04 AM
Subject: Re: BGP, TCP, & Firewalls [7:14286]
> Alan,
>
> When trying to connect to a peer using eBGP don't both routers have
to allow
> port 179 inbound to complete the BGP synchronization process before
2 eBGP
> speakers can talk? like the notification process etc? Just
wondering.
>
> John
>
> ----- Original Message -----
> From: "W. Alan Robertson"
> To:
> Sent: Monday, July 30, 2001 4:53 PM
> Subject: Re: BGP, TCP, & Firewalls [7:14286]
>
>
> > Yes, you need to allow TCP port 179 outbound... This way, only
your
> > internal BGP speaker will be allowed to initiate the connection,
and
> > external probes inbound on 179 will fail (No need to let those
nasty
> > hacker know that you're running BGP through the firewall, right?).
> >
> > Alan
> >
> > ----- Original Message -----
> > From: "Circusnuts"
> > To:
> > Sent: Monday, July 30, 2001 7:14 PM
> > Subject: BGP, TCP, & Firewalls [7:14286]
> >
> >
> > > I'm surveying a project I have been slated for @ work & I was
> > wondering if
> > > the
> > > BGP guru's could help clear-up a question. If I were to run
> > internal BGP &
> > > external BGP, am I forced to leave a TCP port open in the
firewall
> > ???
> > >
> > > I had not an answer when the customer asked me this :-P
> > >
> > > Thanks
> > > Phil
> > [EMAIL PROTECTED]
[EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=14314&t=14286
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
