Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2104
Views
0
Helpful
2
Replies

unfamiliar ASA log message

rjpdmbmap
Level 1
Level 1

‎10-30-2012 05:48 AM - edited ‎03-11-2019 05:16 PM

Is anyone familiar with:

Deny IP 'x.x.x.x' to 'y.y.y.y', IP options: "Noop"

    Explanation:   This is a packet integrity check message. An IP packet was seen with IP options.        Because IP options are considered a security risk, the packet was        discarded. 

    Recommended Action:

       Contact the remote host system administrator to determine the problem. Check        the local site for loose source routing or strict source routing. 

Any guidance would be greatly appreciated, thanks!

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-30-2012 10:42 AM

Hello,

As a security device the ASA will drop any packets containing any information on the ip options fields, this is the expected behavior of a firewall.

Now there are 3 options that you could configure your ASA to allow if need it. They are option 0,1 and 20.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1548725

Check that document for more information about the ip inspection on the ASA

Remember to rate all of the post, if you need any assistance on that, let me know, I will let you know how.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mgrzesia
Cisco Employee
Cisco Employee

‎01-14-2013 09:06 AM

Hello,

There is another article showing how to enable ip-options for RSVP traffic:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bbcd09.shtml

Please note however that if you have an application that is using NOOP, EOOL or RTRALT but in traffic different than RSVP then you need different approach. This is because the default ip-options inspection class is matching only the RSVP traffic.

Configuration example:

10.0.0.1 is an application server. It is sending IP packets with EOOL and NOOP options towards the client. The client is 192.168.1.10. The client is initiating the connection.

1. Create an ACL that will match the traffic from the initiator to the server.

ciscoasa(config)# access-list 100 extended permit ip 192.168.1.10 host 10.0.0.1

You can make it more tight, just match the traffic from the initiatior side.

2. Create a class map matching the interesting traffic:

ciscoasa(config)# class-map Options-cmap
ciscoasa(config-cmap)# match access-list 100

3. Configure policy map with options permitted:

ciscoasa(config)# policy-map type inspect ip-options Options-pmap
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# eool action allow
ciscoasa(config-pmap-p)# nop action allow

4. Insert a new class into the global_policy:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class Options-cmap
ciscoasa(config-pmap-c)# inspect ip-options Options-pmap

The result should be:

ciscoasa# show service-policy inspect ip-options
Global policy:
  Service-policy: global_policy
    Class-map: Options-cmap
      Inspect: ip-options Options-pmap, packet 100, lock fail 0, drop 0, reset-drop 0
        EOOL:          allow 12, clear 0
        NOP:           allow 18, clear 0

Kind regards,

Mateusz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card