Solved

Cisco ASA - Create TCP Map using CLI

Posted on 2012-04-13
5
835 Views
Last Modified: 2012-04-25
It was suggested that I need to apply a TCP Map to interfaces on a Cisco ASA to stop TCP options being stripped (which prevent the correct operation of our VPN system).  I have some instructions for doing this via ASDM, but we only have access to configure the ASA via CLI.  Can someone walk me through this on the CLI (I'm assuming it's easy if you know how)?

1-Build a TCP-Map with the following settings:
Queue limit: 0
Timeout: 4
Reserved bits: Allow only
Drop packets which have past-window sequnence: Yes
Drop SYNACK packets with data: Yes
Drop packets with invalid ACK: yes
Range to Add:
Lower: 6, Upper: 7
Lower: 9, Upper: 255
Action: Allow

2-Apply TCP-Map to the ASA interfaces via a new service policy with the following config:
Traffic clasification: Any
Connection settings: Use TCP-Map (tick), an select the new TCP-Map, and then apply changes via ASDM.

Can someone walk me through this on the CLI please?

Thanks

vasp
0
Comment
Question by:vasp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37842600
For 1 it should be:

tcp-map mytcpmap
   tcp-options range 6 7 allow
   tcp-options range 9 255 allow
   urgent-flag allow
   no ttl-evasion-protection


and for 2:

class-map outside-class
   match any
 policy-map outside-policy
   class outside-class
     set connection advanced-options mytcpmap
 service-policy outside-policy interface outside


I was a bit lazy and do have ASDM access ;)
0
 

Author Comment

by:vasp
ID: 37842663
Wow that was fast!

I'll give that a whirl later and let you know!

vasp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37842708
:)

I'll be here (probably).
0
 

Author Closing Comment

by:vasp
ID: 37883645
quick and accurate - thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37894150
A bit slower now ;)

Thx 4 the points, glad it worked out for you.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
UPS and BTU calculation 3 57
Enterprise level monitoring tools 2 31
Review of a VPN cert policy 4 51
Powerline adapter slow Mbps? 38 215
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question