Which two Cisco ASA configuration tasks are necessary to allow authenticated BGP sessions to pass through the Cisco ASA appliance?

Which two Cisco ASA configuration tasks are necessary to allow authenticated BGP sessions to
pass through the Cisco ASA appliance? (Choose two.)

Which two Cisco ASA configuration tasks are necessary to allow authenticated BGP sessions to
pass through the Cisco ASA appliance? (Choose two.)

A.
Configure the Cisco ASA TCP normalizer to permit TCP option 19.

B.
Configure the Cisco ASA TCP Intercept to inspect the BGP packets (TCP port 179).

C.
Configure the Cisco ASA default global inspection policy to also statefully inspect the BGP
flows.

D.
Configure the Cisco ASA TCP normalizer to disable TCP ISN randomization for the BGP flows.

E.
Configure TCP state bypass to allow the BGP flows.

Explanation:
1. The ASA strips TCP Option 19. This is used by Border Gateway Protocol (BGP) for
authentication.
2. The ASA randomizes the TCP sequence numbers.
With Option 19 being stripped, BGP routers configured for authentication will not see credentials
coming from their peer and thus will not establish the BGP neighbor.
First match the BGP Traffic.
access-list BGP extended permit tcp any eq bgp any
access-list BGP extended permit tcp any any eq bgp
Next create a TCP Map that allows Option 19.
tcp-map BGP
tcp-options range 19 19 allow
Now create a class-map to match the BGP ACL you created earlier.
class-map BGP
match access-list BGP
Finally, apply the class-map to the global policy:
policy-map global_policy
class BGP
set connection advanced-options BGP

Now for the second issue, while you are still in the policy-map configuration mode, you need to
disable the random-sequence numbering.
set connection random-sequence-number disable



Leave a Reply 0

Your email address will not be published. Required fields are marked *