What is a good first test to see if BGP will work across the firewall?

Two routers configured to run BGP have been connected to a firewall, one on the inside interface and one on the outside interface. BGP has been configured so the two routers should peer, including the correct BGP session endpoint addresses and the correct BGP session hop-count limit (EBGP multihop). What is a good first test to see if BGP will work across the firewall?

Two routers configured to run BGP have been connected to a firewall, one on the inside interface and one on the outside interface. BGP has been configured so the two routers should peer, including the correct BGP session endpoint addresses and the correct BGP session hop-count limit (EBGP multihop). What is a good first test to see if BGP will work across the firewall?

A.
Attempt to TELNET from the router connected to the inside of the firewall to the router connected to the outside of the firewall. If telnet works, BGP will work, since telnet and BGP both use TCP to transport data.

B.
Ping from the router connected to the inside interface of the firewall to the router connected to the outside interface of the firewall. If you can ping between them, BGP should work, since BGP uses IP to transport packets.

C.
There is no way to make BGP work across a firewall without special configuration, so there is no simple test that will show you if BGP will work or not, other than trying to start the peering session.

D.
There is no way to make BGP work across a firewall.

Explanation:
If you want points for this question on the exam, you should choose A

Why A?

Well, this isnt a BGP question at all! It is a security question. This another perfect example of having to guess what they mean. If they mean telnet to port 179 then it is correct.

But on variations of this question that do not explicitly state that you have EBGP multihop configured and source address configured then telnet to port 179 will tell you nothing other than the firewall is configured correctly.

Read closely. Inside and Outside interfaces on a firewall. We need to know how they work.
By default, firewalls will allow TCP connections from the inside to the outside interface to pass. Firewalls will also create a state table and allow return responses in from the outside interface. So that means when TCP traffic is originated on the inside interface of a firewall, the firewall will allow that to pass through and will allow all return traffic for that specific connection entry.

Alright, now that we got through that part
Lets take a look at the available answers.

Answers B (ICMP does not USE TCP, so by default ICMP traffic will not be allowed exit and re-entry. You would have to configure the firewall to allow icmp traffic to pass in and out.)
B wont get you points!

Answer C NO special config is needed.
C wont get you points!

NOTE: Some opinons argue that even using TELNET on port 179 is special and answer should be C

Answer D Really? No BGP through a Firewall?
D wont get you points!

You want points? Choose A

Pass4sure says C and references www.cisco.com/UStech/tk365/technologies_configuration_example09186a0080094874.shtml



Leave a Reply 1

Your email address will not be published. Required fields are marked *


Bob

Bob

Answer: C

Explanation:

Because BGP uses unicast TCP packets on port 179 to communicate with its peers, you must configure your firewall to allow unicast traffic on TCP port 179. This way, BGP peering can be established between the routers that are connected through the firewall.

For an example configuration of BGP through PIX firewalls, see the reference link below.

Reference:
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.s
html