Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3537
  • Last Modified:

Allowing specific TCP Options in TCP Packet through ASA 5520

Hi Team,
I am trying to allow TCP Options 24 31 through ASA on global bases, so i do not have to apply it on per interface bases. There is a global policy already applied so itried to edit that one and got an Error Message , Below is what i tried

Can some expert please help me get this sorted, i.e how i will be able to allow TCP Options 24 to 31 on ASA globally.
=====================================

ASA(config)# tcp-map global_policy

ASA(config-tcp-map)# tcp-options range 24 31 allow

ASA(config-tcp-map)# class-map global_policy-class

ASA(config-cmap)# match any

ASA(config-cmap)# policy-map global_policy

ASA(config-pmap)# class global_policy-class

ASA(config-pmap-c)# set connection advanced-options global_policy

ASA(config-pmap-c)# service-policy global_policy global

WARNING: Policy map global_policy is already configured as a service policy
===============================================================
Before this i tried creatign a new TCP MAP
 and got the same Error
===============================================================

ASA(config)# tcp-map WSTCPOptions

ASA(config-tcp-map)# tcp-options range 24 31 allow

ASA(config-tcp-map)# class-map WSTCPOptions-class

ASA(config-cmap)# match any

ASA(config-cmap)# policy-map WSTCPOptions

ASA(config-pmap)# class WSTCPOptions-class

ASA(config-pmap-c)# set connection advanced-options WSTCPOptions

ASA(config-pmap-c)# service-policy WSTCPOptions global

WARNING: Policy map global_policy is already configured as a service policy
=================================================================
Below is what Firewal Already had
=================================================================
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect tftp
  inspect ftp
  inspect icmp
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
======================================================================

Thanks,
0
tariqmansoor
Asked:
tariqmansoor
  • 5
  • 3
1 Solution
 
tariqmansoorAuthor Commented:
HI Guys,
This was a bit urgent, so any assistance will be highly appriciated.

Thanks,
0
 
harbor235Commented:


You can have only one global policy, so you either need to create a new policy or modify the existing one.
I would name your tcp map something else other than global_policy perhaps TCPOPT.

If you are adding to the existing global policy so I would do the following;

ASA(config)# tcp-map TCPOPT

ASA(config-tcp-map)# tcp-options range 24 31 allow

ASA(config-tcp-map)# class-map TCPOPT-CLASS

ASA(config-cmap)# match any

ASA(config-cmap)# policy-map TCPOPT-MAP

ASA(config-pmap)# class TCPOPT-CLASS

ASA(config-pmap-c)# set connection advanced-options TCPOPT

ASA(config-pmap-c)# service-policy TCPOPT-MAP global

harbor235 ;;}
0
 
tariqmansoorAuthor Commented:
Thanks,

I did tried both, i.e Tried to add a new Policy i.e with the NAME "WSTCPOptions"  exactly like your example above  and it let me configure all the parameters but when i finally wanted to apply the Policy with the comand
ASA(config-pmap-c)# service-policy WSTCPOptions global
I Got the Error
Error: Policy map globa;_policy is already configured as a service policy
-------------------------------------------------------------------------------------------------
One thing i have noted in your example is that in the last Line
ASA(config-pmap-c)# service-policy TCPOPT-MAP global
You have used "TCPOPT-MAP" instead of "TCPOPT"
Can you please confirm if using the traffic class "TCPOPT-MAP" is correct than using tcp MAP "TCPOPT"

One you review and confirm, i will try this.
Thanks
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
harbor235Commented:

It will work on the interface, try to add it and see if it works there

service-policy TCPOPT-MAP interface outside


harbor235 ;}
0
 
harbor235Commented:
hmm, here is an example straight from Cisco site", the service-policy statement should be

service-policy TCPOPT-MAP global


Examples

For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands:

hostname(config)# tcp-map tmap
hostname(config-tcp-map)# urgent-flag allow
hostname(config-tcp-map)# class-map urg-class
hostname(config-cmap)# match port tcp range ftp-data telnet
hostname(config-cmap)# policy-map pmap
hostname(config-pmap)# class urg-class
hostname(config-pmap-c)# set connection advanced-options tmap
hostname(config-pmap-c)# service-policy pmap global

here is the link;
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/t_72.html#wp1386838

harbor235 ;}
0
 
tariqmansoorAuthor Commented:
Thanks, You are right, but i think in my case it is conflicting with existing Global Policy :(
Below is what i did and i t gae me an Error, I furtehr Tried to edit the existing global policy to include the newly created Traffic class but it gae me an Error message too.
Existing global policy is using defualt Inspection, below is a show out put of existing policy.

I believe There can only be one Global policy in ASA but it can have more than one Traffic class assosiated with it with different Match Critaria and based on that i tried to edit the Existing to inlcude my newly created class but i got the error "ERROR: % class-map WS-calss not configured "
Can you please below and spot what i might have missed ?  
Thansk in advance

WHAT I TRIED FIRST
-----------------------
asa(config)# tcp-map WS
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map WS-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map WSmap
asa(config-pmap)# class WS-class
asa(config-pmap-c)# set connection advanced-options WS
asa(config-pmap-c)# service-policy WSmap global

ERROR: Policy map global_policy is already configured as a service policy
-------------------------------------------

TRIED TO EDIT THE EXISTING GLOBAL POLICY
------------------------------------------
asa(config)# tcp-map WS
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map WS-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map global_policy
asa(config-pmap)# class WS-calss
ERROR: % class-map WS-calss not configured
---------------------------------------------------------------

RUNN CONFIG

asa# show running-config policy-map
!
policy-map global_policy
 class inspection_default
  inspect tftp
  inspect ftp
  inspect icmp
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
!
class-map inspection_default
 match default-inspection-traffic
!
--------------------------------------------------------
asa#
0
 
tariqmansoorAuthor Commented:
Woo Hoo ...Gone through this time ....
I can not understand this time doing exactly above steps but just replacing "W" with "w" ( lower case did not produce any error and it accepted all input and am sure applied to the policy sucessfully
Please see below

THANK YOU VER VERY MUCH FOR YOUR HELP , THAT'S GREAT

==============================================
asa(config)# tcp-map ws
asa(config-tcp-map)# tcp-options range 24 31 allow
asa(config-tcp-map)# class-map ws-class
asa(config-cmap)# match any
asa(config-cmap)# policy-map global_policy
asa(config-pmap)# class ws-class
asa(config-pmap-c)# set connection advanced-options ws
asa(config-pmap-c)# service-policy global_policy global
===============================================
!
class-map ws-class
 match any
class-map inspection_default
 match default-inspection-traffic
!


Thanks,
0
 
tariqmansoorAuthor Commented:
Excellent Work
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now