Solved

Need help configuring my Cisco ASA Firewall to extend MSS limit for outbound traffic

Posted on 2007-11-13
3
2,137 Views
Last Modified: 2008-10-20
I have a Cisco ASA 5510 firewall and my company uses a third party POP3 providor for email.
I have just installed a Konica Multi-purpose copier that can scan a document and email it. However, when I do this, my firewall stops it with the message:
Dropping TCP packet from inside:10.203.15.202/1025 to outside:204.107.103.101/25, reason: MSS exceeded, MSS 1380, data 1460

I have seen how I can configure MSS to exceed for traffic coming in, but how can I configure it for traffic going out
0
Comment
Question by:eleeexpertsexchange
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20276536
Try these statements:

access-list mss_allow_list extended permit tcp any host 204.107.103.101
tcp-map tcp-mss-map
  exceed-mss allow
class-map mss-map
 match access-list mss_allow_list
policy-map mss-map
 class mss-map
  set connection advanced-options tcp-mss-map
service-policy mss-map interface outside
0
 

Author Comment

by:eleeexpertsexchange
ID: 20276812
This works. Thanks very much

0
 
LVL 1

Expert Comment

by:Eirejp
ID: 34236429
No luck I am afraid.

I applied the configuration without error but one command did not show up in the show run as if it was already the default.
"exceed-mss allow"

So it looks like it applied a empty policy to the external interface. I tried a couple of times but the tcp-map tcp-mss-map comes up blank.

I am still see these sorts of errors in the logs.



6	Nov 30 2010	14:37:09						PMTU-D packet 1420 bytes greater than effective mtu 1050, dest_addr=[WAN IP], src_addr=[Random web site], prot=tcp

Open in new window

0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question