Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2371
Views
0
Helpful
6
Replies

Enable ip-options on Cisco ASA 8.2

Go to solution
uchiha-itachi
Level 1
Level 1

‎11-04-2016 08:12 AM - edited ‎03-12-2019 01:29 AM

Hi,

having a problem regarding NOOP option, bellow message error, I want to allow nop action according to this discussion

%ASA-6-106012: Deny IP from x.x.x.x to y.y.y.y , IP options: "Noop"

https://supportforums.cisco.com/discussion/11646641/unfamiliar-asa-log-message

but, I dont find inspect ip-options under protocol inspection section (see attached)

policy-map type inspect ip-options Options-pmap
                                               ^
ERROR: % Invalid input detected at '^' marker.

How can I enable ip-options?

Thank you!

Labels:
ip_inspect_asa.png
Preview file
16 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to uchiha-itachi

‎11-07-2016 03:24 PM

Hi,

The command was introduced in 8.2(2). You would need to upgrade to get that command option.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html#wp1063588

"You can now control which IP packets with specific IP options should be allowed through the ASA. You can also clear IP options from an IP packet, and then allow it through the ASA. Previously, all IP options were denied by default, except for some special cases.

Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode.

The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop."

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
uchiha-itachi
Level 1
Level 1

‎11-07-2016 12:32 PM

Hi,

any idea?

thanks

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to uchiha-itachi

‎11-07-2016 02:14 PM

Hi,

Which version of ASA are you running?

i do see in my lab FW that option is there. But mine is latest version 9.6.

ciscoasa(config)# policy-map type inspect ?

configure mode commands/options:
  dcerpc             Configure a policy-map of type DCERPC
  diameter           Configure a policy-map of type Diameter
  dns                Configure a policy-map of type DNS
  esmtp              Configure a policy-map of type ESMTP
  ftp                Configure a policy-map of type FTP
  gtp                Configure a policy-map of type GTP
  h323               Configure a policy-map of type H.323
  http               Configure a policy-map of type HTTP
  im                 Configure a policy-map of type IM
  ip-options         Configure a policy-map of type IP-OPTIONS
  ipsec-pass-thru    Configure a policy-map of type IPSEC-PASS-THRU
  ipv6               Configure a policy-map of type IPv6
  lisp               Configure a policy-map of type LISP
  mgcp               Configure a policy-map of type MGCP
  netbios            Configure a policy-map of type NETBIOS
  radius-accounting  Configure a policy-map of type Radius Accounting
  rtsp               Configure a policy-map of type RTSP
  scansafe           Configure a policy-map of type SCANSAFE
  sctp               Configure a policy-map of type SCTP
  sip                Configure a policy-map of type SIP
  skinny             Configure a policy-map of type Skinny

Can you paste "show version" output from your firewall.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
uchiha-itachi
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-07-2016 03:20 PM

Hi,

Thank you for your reply.

Asa version:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)

System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04


Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 250
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 5000
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5550 VPN Premium license.


Inspection type:

ASA(config)# policy-map type inspect ?
configure mode commands/options:
  dcerpc             Configure a policy-map of type DCERPC
  dns                Configure a policy-map of type DNS
  esmtp              Configure a policy-map of type ESMTP
  ftp                Configure a policy-map of type FTP
  gtp                Configure a policy-map of type GTP
  h323               Configure a policy-map of type H.323
  http               Configure a policy-map of type HTTP
  im                 Configure a policy-map of type IM
  ipsec-pass-thru    Configure a policy-map of type IPSEC-PASS-THRU
  mgcp               Configure a policy-map of type MGCP
  netbios            Configure a policy-map of type NETBIOS
  radius-accounting  Configure a policy-map of type Radius Accounting
  rtsp               Configure a policy-map of type RTSP
  sip                Configure a policy-map of type SIP
  skinny             Configure a policy-map of type Skinny

I think ip-options is supported, this is why I have the error message regarding NOOP, but I don't know how to enable this option and tune it!

Thanks.

Regards,

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to uchiha-itachi

‎11-07-2016 03:24 PM

Hi,

The command was introduced in 8.2(2). You would need to upgrade to get that command option.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html#wp1063588

"You can now control which IP packets with specific IP options should be allowed through the ASA. You can also clear IP options from an IP packet, and then allow it through the ASA. Previously, all IP options were denied by default, except for some special cases.

Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode.

The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop."

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
uchiha-itachi
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-07-2016 03:27 PM

Hi,

Ok, it's clear.

Thank you very much!

Regards,

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to uchiha-itachi

‎11-07-2016 03:28 PM

Hi,

I am glad i could help and you are welcome!

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top