10-30-2015 11:38 PM - last edited on 03-25-2019 05:57 PM by ciscomoderator
1. can ASA filter ip option and some filter like below and how?
if not, does it mean that buy a switch is more secure since window firewall can already block tcp and udp?
access-list 101 deny ip any host 192.168.1.2 fragments
ip access-list extended mylist1
deny ip any any option traceroute
deny tcp any any match-all -ack -fin
permit ip any any option security
permit tcp any any match-any +rst
show ip access-lists mylist1
ip access-group mylist1 in
2. Should we filter all ip option with any? if not, which ip option is needed to permit?
3. ASA seems do not have functions like IPS have signature, without IPS, i feel that the most useful of ASA is HTTP class map, is it?
11-01-2015 12:21 AM
Cisco router can drop each ip packet with options field
ip option drop
but it says RRSP resource reservation protocol needs ip options
and I do not know how to check packets droped
11-13-2015 10:37 PM
i know that cisco switch or router can do IP Options filtering, however, i can not search this in ASA before i ask this question.
so i would like to find how to filter IP Options in ASA
11-02-2015 12:40 AM
> 1. can ASA filter ip option and some filter like below and how?
The ASA is a stefull firewall which means that the flag-handling is automatically build in. In addition to that you have a preconfigured normalizer that does many security-checks. Some of these are shown under "connection settings" of the config-guide:
Look also for the IP-options maps.
> 2. Should we filter all ip option with any? if not, which ip option is needed to permit?
What do you want to achieve? In general, these options are rarely used, but they could have a purpose in your network:
http://www.tcpipguide.com/free/t_IPDatagramOptionsandOptionFormat.htm
> 3. ASA seems do not have functions like IPS have signature, without IPS, i feel that the most useful of ASA is HTTP class map, is it?
The build-in signatires are quite outdated and not that useful. For having IPS on the ASA, the FirePOWER security module can be used.
With that, you also can use URL-filtering which is much more powerful then the build-in HTTP-controls of the ASA.
11-13-2015 10:35 PM
i discover that a draft which is about single packet attack with IP Options, so i want to block all IP Options, but i do not know which IP Options should be allowed,
the ASA TCP map 's terms are not the same as terms name in IP Options, are they the same thing?
https://tools.ietf.org/html/draft-ietf-opsec-ip-options-filtering-07
https://tools.ietf.org/html/draft-ietf-6man-ipv6-atomic-fragments-00
https://tools.ietf.org/html/draft-ietf-savi-threat-scope-08
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide