05-25-2010 05:29 AM - edited 03-11-2019 10:50 AM
Hello !
Is there a way to configure my ASA so that it can block an IP packet (TCP or UDP) based on its size (total size, or even better, on the IP payload)?
Thanks!
05-25-2010 02:45 PM
You can use the "fragment chain" command.
The ASA interface has an MTU. But you can allow up to certain number of IP fragments. So for example if you use 1 then a total of 1500bytes of IP packets (header+payload) will be allowed per IP packet (even fragmented packets).
I hope it helps.
PK
05-25-2010 11:27 PM
Yes I can configure the MTU on the ASA interfaces, but the command is entered "globaly" on an interface, i.e. I mean that the command is applied for both incoming and outcoming packets. The thing is that I want to drop incoming packets on an interface which size is greater than, let's say 100 Bytes.
So with your method, do you think if I use the following commands, it will work?
#fragment chain 1 inside
#fragment size 100 inside
And even if it worked, would it be enable only for incoming packets?
Thanks!
05-26-2010 06:20 AM
I am afraid that is not something you can do on the ASA.
If you have a router then Flexible Packet Matching could very well do what you want matching on header fields and patterns in the packet.
Here is a doc that explains it http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.html
I hope it helps.
PK
05-26-2010 07:02 AM
All right, so it is not possible with an ASA. Now we know it's a fact!
But many thanks for the link about FPM, I think this is exactly what I needed. I'll take a look more deeply (if I can get my hand on a valid IOS file to test it!)
Again, thank you!
05-26-2010 07:06 AM
Yup, FPM is pretty useful. Little tricky but useful as it looks deeply into the packet.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide