Solved

Cisco ASA - Create TCP Map using CLI

Posted on 2012-04-13
5
818 Views
Last Modified: 2012-04-25
It was suggested that I need to apply a TCP Map to interfaces on a Cisco ASA to stop TCP options being stripped (which prevent the correct operation of our VPN system).  I have some instructions for doing this via ASDM, but we only have access to configure the ASA via CLI.  Can someone walk me through this on the CLI (I'm assuming it's easy if you know how)?

1-Build a TCP-Map with the following settings:
Queue limit: 0
Timeout: 4
Reserved bits: Allow only
Drop packets which have past-window sequnence: Yes
Drop SYNACK packets with data: Yes
Drop packets with invalid ACK: yes
Range to Add:
Lower: 6, Upper: 7
Lower: 9, Upper: 255
Action: Allow

2-Apply TCP-Map to the ASA interfaces via a new service policy with the following config:
Traffic clasification: Any
Connection settings: Use TCP-Map (tick), an select the new TCP-Map, and then apply changes via ASDM.

Can someone walk me through this on the CLI please?

Thanks

vasp
0
Comment
Question by:vasp
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37842600
For 1 it should be:

tcp-map mytcpmap
   tcp-options range 6 7 allow
   tcp-options range 9 255 allow
   urgent-flag allow
   no ttl-evasion-protection


and for 2:

class-map outside-class
   match any
 policy-map outside-policy
   class outside-class
     set connection advanced-options mytcpmap
 service-policy outside-policy interface outside


I was a bit lazy and do have ASDM access ;)
0
 

Author Comment

by:vasp
ID: 37842663
Wow that was fast!

I'll give that a whirl later and let you know!

vasp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37842708
:)

I'll be here (probably).
0
 

Author Closing Comment

by:vasp
ID: 37883645
quick and accurate - thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37894150
A bit slower now ;)

Thx 4 the points, glad it worked out for you.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Is your computer hacked? learn how to detect and delete malware in your PC
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now