[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco ASA - Create TCP Map using CLI

Posted on 2012-04-13
5
Medium Priority
?
868 Views
Last Modified: 2012-04-25
It was suggested that I need to apply a TCP Map to interfaces on a Cisco ASA to stop TCP options being stripped (which prevent the correct operation of our VPN system).  I have some instructions for doing this via ASDM, but we only have access to configure the ASA via CLI.  Can someone walk me through this on the CLI (I'm assuming it's easy if you know how)?

1-Build a TCP-Map with the following settings:
Queue limit: 0
Timeout: 4
Reserved bits: Allow only
Drop packets which have past-window sequnence: Yes
Drop SYNACK packets with data: Yes
Drop packets with invalid ACK: yes
Range to Add:
Lower: 6, Upper: 7
Lower: 9, Upper: 255
Action: Allow

2-Apply TCP-Map to the ASA interfaces via a new service policy with the following config:
Traffic clasification: Any
Connection settings: Use TCP-Map (tick), an select the new TCP-Map, and then apply changes via ASDM.

Can someone walk me through this on the CLI please?

Thanks

vasp
0
Comment
Question by:vasp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37842600
For 1 it should be:

tcp-map mytcpmap
   tcp-options range 6 7 allow
   tcp-options range 9 255 allow
   urgent-flag allow
   no ttl-evasion-protection


and for 2:

class-map outside-class
   match any
 policy-map outside-policy
   class outside-class
     set connection advanced-options mytcpmap
 service-policy outside-policy interface outside


I was a bit lazy and do have ASDM access ;)
0
 

Author Comment

by:vasp
ID: 37842663
Wow that was fast!

I'll give that a whirl later and let you know!

vasp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37842708
:)

I'll be here (probably).
0
 

Author Closing Comment

by:vasp
ID: 37883645
quick and accurate - thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37894150
A bit slower now ;)

Thx 4 the points, glad it worked out for you.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this article, we’ll look at how to deploy ProxySQL.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question