tariqmansoor
asked on
Allowing specific TCP Options in TCP Packet through ASA 5520
Hi Team,
I am trying to allow TCP Options 24 31 through ASA on global bases, so i do not have to apply it on per interface bases. There is a global policy already applied so itried to edit that one and got an Error Message , Below is what i tried
Can some expert please help me get this sorted, i.e how i will be able to allow TCP Options 24 to 31 on ASA globally.
========================== ========== =
ASA(config)# tcp-map global_policy
ASA(config-tcp-map)# tcp-options range 24 31 allow
ASA(config-tcp-map)# class-map global_policy-class
ASA(config-cmap)# match any
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class global_policy-class
ASA(config-pmap-c)# set connection advanced-options global_policy
ASA(config-pmap-c)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
========================== ========== ========== ========== =======
Before this i tried creatign a new TCP MAP
and got the same Error
========================== ========== ========== ========== =======
ASA(config)# tcp-map WSTCPOptions
ASA(config-tcp-map)# tcp-options range 24 31 allow
ASA(config-tcp-map)# class-map WSTCPOptions-class
ASA(config-cmap)# match any
ASA(config-cmap)# policy-map WSTCPOptions
ASA(config-pmap)# class WSTCPOptions-class
ASA(config-pmap-c)# set connection advanced-options WSTCPOptions
ASA(config-pmap-c)# service-policy WSTCPOptions global
WARNING: Policy map global_policy is already configured as a service policy
========================== ========== ========== ========== =========
Below is what Firewal Already had
========================== ========== ========== ========== =========
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect tftp
inspect ftp
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
========================== ========== ========== ========== ========== ====
Thanks,
I am trying to allow TCP Options 24 31 through ASA on global bases, so i do not have to apply it on per interface bases. There is a global policy already applied so itried to edit that one and got an Error Message , Below is what i tried
Can some expert please help me get this sorted, i.e how i will be able to allow TCP Options 24 to 31 on ASA globally.
==========================
ASA(config)# tcp-map global_policy
ASA(config-tcp-map)# tcp-options range 24 31 allow
ASA(config-tcp-map)# class-map global_policy-class
ASA(config-cmap)# match any
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class global_policy-class
ASA(config-pmap-c)# set connection advanced-options global_policy
ASA(config-pmap-c)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
==========================
Before this i tried creatign a new TCP MAP
and got the same Error
==========================
ASA(config)# tcp-map WSTCPOptions
ASA(config-tcp-map)# tcp-options range 24 31 allow
ASA(config-tcp-map)# class-map WSTCPOptions-class
ASA(config-cmap)# match any
ASA(config-cmap)# policy-map WSTCPOptions
ASA(config-pmap)# class WSTCPOptions-class
ASA(config-pmap-c)# set connection advanced-options WSTCPOptions
ASA(config-pmap-c)# service-policy WSTCPOptions global
WARNING: Policy map global_policy is already configured as a service policy
==========================
Below is what Firewal Already had
==========================
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect tftp
inspect ftp
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
==========================
Thanks,
You can have only one global policy, so you either need to create a new policy or modify the existing one.
I would name your tcp map something else other than global_policy perhaps TCPOPT.
If you are adding to the existing global policy so I would do the following;
ASA(config)# tcp-map TCPOPT
ASA(config-tcp-map)# tcp-options range 24 31 allow
ASA(config-tcp-map)# class-map TCPOPT-CLASS
ASA(config-cmap)# match any
ASA(config-cmap)# policy-map TCPOPT-MAP
ASA(config-pmap)# class TCPOPT-CLASS
ASA(config-pmap-c)# set connection advanced-options TCPOPT
ASA(config-pmap-c)# service-policy TCPOPT-MAP global
harbor235 ;;}
ASKER
Thanks,
I did tried both, i.e Tried to add a new Policy i.e with the NAME "WSTCPOptions" exactly like your example above and it let me configure all the parameters but when i finally wanted to apply the Policy with the comand
ASA(config-pmap-c)# service-policy WSTCPOptions global
I Got the Error
Error: Policy map globa;_policy is already configured as a service policy
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -
One thing i have noted in your example is that in the last Line
ASA(config-pmap-c)# service-policy TCPOPT-MAP global
You have used "TCPOPT-MAP" instead of "TCPOPT"
Can you please confirm if using the traffic class "TCPOPT-MAP" is correct than using tcp MAP "TCPOPT"
One you review and confirm, i will try this.
Thanks
I did tried both, i.e Tried to add a new Policy i.e with the NAME "WSTCPOptions" exactly like your example above and it let me configure all the parameters but when i finally wanted to apply the Policy with the comand
ASA(config-pmap-c)# service-policy WSTCPOptions global
I Got the Error
Error: Policy map globa;_policy is already configured as a service policy
--------------------------
One thing i have noted in your example is that in the last Line
ASA(config-pmap-c)# service-policy TCPOPT-MAP global
You have used "TCPOPT-MAP" instead of "TCPOPT"
Can you please confirm if using the traffic class "TCPOPT-MAP" is correct than using tcp MAP "TCPOPT"
One you review and confirm, i will try this.
Thanks
It will work on the interface, try to add it and see if it works there
service-policy TCPOPT-MAP interface outside
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, You are right, but i think in my case it is conflicting with existing Global Policy :(
Below is what i did and i t gae me an Error, I furtehr Tried to edit the existing global policy to include the newly created Traffic class but it gae me an Error message too.
Existing global policy is using defualt Inspection, below is a show out put of existing policy.
I believe There can only be one Global policy in ASA but it can have more than one Traffic class assosiated with it with different Match Critaria and based on that i tried to edit the Existing to inlcude my newly created class but i got the error "ERROR: % class-map WS-calss not configured "
Can you please below and spot what i might have missed ?
Thansk in advance
WHAT I TRIED FIRST
-----------------------
asa(config)# tcp-map WS
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map WS-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map WSmap
asa(config-pmap)# class WS-class
asa(config-pmap-c)# set connection advanced-options WS
asa(config-pmap-c)# service-policy WSmap global
ERROR: Policy map global_policy is already configured as a service policy
-------------------------- ---------- -------
TRIED TO EDIT THE EXISTING GLOBAL POLICY
-------------------------- ---------- ------
asa(config)# tcp-map WS
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map WS-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map global_policy
asa(config-pmap)# class WS-calss
ERROR: % class-map WS-calss not configured
-------------------------- ---------- ---------- ---------- -------
RUNN CONFIG
asa# show running-config policy-map
!
policy-map global_policy
class inspection_default
inspect tftp
inspect ftp
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
!
class-map inspection_default
match default-inspection-traffic
!
-------------------------- ---------- ---------- ----------
asa#
Below is what i did and i t gae me an Error, I furtehr Tried to edit the existing global policy to include the newly created Traffic class but it gae me an Error message too.
Existing global policy is using defualt Inspection, below is a show out put of existing policy.
I believe There can only be one Global policy in ASA but it can have more than one Traffic class assosiated with it with different Match Critaria and based on that i tried to edit the Existing to inlcude my newly created class but i got the error "ERROR: % class-map WS-calss not configured "
Can you please below and spot what i might have missed ?
Thansk in advance
WHAT I TRIED FIRST
-----------------------
asa(config)# tcp-map WS
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map WS-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map WSmap
asa(config-pmap)# class WS-class
asa(config-pmap-c)# set connection advanced-options WS
asa(config-pmap-c)# service-policy WSmap global
ERROR: Policy map global_policy is already configured as a service policy
--------------------------
TRIED TO EDIT THE EXISTING GLOBAL POLICY
--------------------------
asa(config)# tcp-map WS
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map WS-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map global_policy
asa(config-pmap)# class WS-calss
ERROR: % class-map WS-calss not configured
--------------------------
RUNN CONFIG
asa# show running-config policy-map
!
policy-map global_policy
class inspection_default
inspect tftp
inspect ftp
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
!
class-map inspection_default
match default-inspection-traffic
!
--------------------------
asa#
ASKER
Woo Hoo ...Gone through this time ....
I can not understand this time doing exactly above steps but just replacing "W" with "w" ( lower case did not produce any error and it accepted all input and am sure applied to the policy sucessfully
Please see below
THANK YOU VER VERY MUCH FOR YOUR HELP , THAT'S GREAT
========================== ========== ==========
asa(config)# tcp-map ws
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map ws-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map global_policy
asa(config-pmap)# class ws-class
asa(config-pmap-c)# set connection advanced-options ws
asa(config-pmap-c)# service-policy global_policy global
========================== ========== ========== =
!
class-map ws-class
match any
class-map inspection_default
match default-inspection-traffic
!
Thanks,
I can not understand this time doing exactly above steps but just replacing "W" with "w" ( lower case did not produce any error and it accepted all input and am sure applied to the policy sucessfully
Please see below
THANK YOU VER VERY MUCH FOR YOUR HELP , THAT'S GREAT
==========================
asa(config)# tcp-map ws
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map ws-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map global_policy
asa(config-pmap)# class ws-class
asa(config-pmap-c)# set connection advanced-options ws
asa(config-pmap-c)# service-policy global_policy global
==========================
!
class-map ws-class
match any
class-map inspection_default
match default-inspection-traffic
!
Thanks,
ASKER
Excellent Work
ASKER
This was a bit urgent, so any assistance will be highly appriciated.
Thanks,