Solved

Cisco ASA - Create TCP Map using CLI

Posted on 2012-04-13
5
822 Views
Last Modified: 2012-04-25
It was suggested that I need to apply a TCP Map to interfaces on a Cisco ASA to stop TCP options being stripped (which prevent the correct operation of our VPN system).  I have some instructions for doing this via ASDM, but we only have access to configure the ASA via CLI.  Can someone walk me through this on the CLI (I'm assuming it's easy if you know how)?

1-Build a TCP-Map with the following settings:
Queue limit: 0
Timeout: 4
Reserved bits: Allow only
Drop packets which have past-window sequnence: Yes
Drop SYNACK packets with data: Yes
Drop packets with invalid ACK: yes
Range to Add:
Lower: 6, Upper: 7
Lower: 9, Upper: 255
Action: Allow

2-Apply TCP-Map to the ASA interfaces via a new service policy with the following config:
Traffic clasification: Any
Connection settings: Use TCP-Map (tick), an select the new TCP-Map, and then apply changes via ASDM.

Can someone walk me through this on the CLI please?

Thanks

vasp
0
Comment
Question by:vasp
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37842600
For 1 it should be:

tcp-map mytcpmap
   tcp-options range 6 7 allow
   tcp-options range 9 255 allow
   urgent-flag allow
   no ttl-evasion-protection


and for 2:

class-map outside-class
   match any
 policy-map outside-policy
   class outside-class
     set connection advanced-options mytcpmap
 service-policy outside-policy interface outside


I was a bit lazy and do have ASDM access ;)
0
 

Author Comment

by:vasp
ID: 37842663
Wow that was fast!

I'll give that a whirl later and let you know!

vasp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37842708
:)

I'll be here (probably).
0
 

Author Closing Comment

by:vasp
ID: 37883645
quick and accurate - thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37894150
A bit slower now ;)

Thx 4 the points, glad it worked out for you.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now