?
Solved

Cisco ASA - Create TCP Map using CLI

Posted on 2012-04-13
5
Medium Priority
?
860 Views
Last Modified: 2012-04-25
It was suggested that I need to apply a TCP Map to interfaces on a Cisco ASA to stop TCP options being stripped (which prevent the correct operation of our VPN system).  I have some instructions for doing this via ASDM, but we only have access to configure the ASA via CLI.  Can someone walk me through this on the CLI (I'm assuming it's easy if you know how)?

1-Build a TCP-Map with the following settings:
Queue limit: 0
Timeout: 4
Reserved bits: Allow only
Drop packets which have past-window sequnence: Yes
Drop SYNACK packets with data: Yes
Drop packets with invalid ACK: yes
Range to Add:
Lower: 6, Upper: 7
Lower: 9, Upper: 255
Action: Allow

2-Apply TCP-Map to the ASA interfaces via a new service policy with the following config:
Traffic clasification: Any
Connection settings: Use TCP-Map (tick), an select the new TCP-Map, and then apply changes via ASDM.

Can someone walk me through this on the CLI please?

Thanks

vasp
0
Comment
Question by:vasp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37842600
For 1 it should be:

tcp-map mytcpmap
   tcp-options range 6 7 allow
   tcp-options range 9 255 allow
   urgent-flag allow
   no ttl-evasion-protection


and for 2:

class-map outside-class
   match any
 policy-map outside-policy
   class outside-class
     set connection advanced-options mytcpmap
 service-policy outside-policy interface outside


I was a bit lazy and do have ASDM access ;)
0
 

Author Comment

by:vasp
ID: 37842663
Wow that was fast!

I'll give that a whirl later and let you know!

vasp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37842708
:)

I'll be here (probably).
0
 

Author Closing Comment

by:vasp
ID: 37883645
quick and accurate - thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37894150
A bit slower now ;)

Thx 4 the points, glad it worked out for you.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question