Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1483
Views
0
Helpful
4
Replies

can ASA filter ip option and how?

martlee2
Cisco Employee
Cisco Employee

‎10-30-2015 11:38 PM - last edited on ‎03-25-2019 05:57 PM by Community Manager

1. can ASA filter ip option and some filter like below and how?

if not, does it mean that buy a switch is more secure since window firewall can already block tcp and udp?

access-list 101 deny ip any host 192.168.1.2 fragments
ip access-list extended mylist1
deny ip any any option traceroute
deny tcp any any match-all -ack -fin
permit ip any any option security
permit tcp any any match-any +rst
show ip access-lists mylist1
ip access-group mylist1 in

2. Should we filter all ip option with any? if not, which ip option is needed to permit?

3. ASA seems do not have functions like IPS have signature, without IPS, i feel that the most useful of ASA is HTTP class map, is it?

Labels:
0 Helpful
4 Replies 4

Tagir Temirgaliyev
Spotlight
Spotlight

‎11-01-2015 12:21 AM

Cisco router can drop each ip packet with options field

ip option drop

but it says RRSP resource reservation protocol needs ip options

and I do not know how to check packets droped

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to Tagir Temirgaliyev

‎11-13-2015 10:37 PM

i know that cisco switch or router can do IP Options filtering, however, i can not search this in ASA before i ask this question.

so i would like to find how to filter IP Options in ASA

0 Helpful

Karsten Iwen
VIP
VIP

‎11-02-2015 12:40 AM

> 1. can ASA filter ip option and some filter like below and how?

The ASA is a stefull firewall which means that the flag-handling is automatically build in. In addition to that you have a preconfigured normalizer that does many security-checks. Some of these are shown under "connection settings" of the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html

Look also for the IP-options maps.

> 2. Should we filter all ip option with any? if not, which ip option is needed to permit?

What do you want to achieve? In general, these options are rarely used, but they could have a purpose in your network:

http://www.tcpipguide.com/free/t_IPDatagramOptionsandOptionFormat.htm

> 3. ASA seems do not have functions like IPS have signature, without IPS, i feel that the most useful of ASA is HTTP class map, is it?

The build-in signatires are quite outdated and not that useful. For having IPS on the ASA, the FirePOWER security module can be used.

With that, you also can use URL-filtering which is much more powerful then the build-in HTTP-controls of the ASA. 

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to Karsten Iwen

‎11-13-2015 10:35 PM

i discover that a draft which is about single packet attack with IP Options, so i want to block all IP Options, but i do not know which IP Options should be allowed, 

the ASA TCP map 's terms are not the same as terms name in IP Options, are they the same thing?

https://tools.ietf.org/html/draft-ietf-opsec-ip-options-filtering-07

https://tools.ietf.org/html/draft-ietf-6man-ipv6-atomic-fragments-00

https://tools.ietf.org/html/draft-ietf-savi-threat-scope-08

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card