Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8547
Views
0
Helpful
5
Replies

IP options inspection by the ASA firewall

zheka_pefti
Level 2
Level 2

‎02-26-2013 11:04 PM - edited ‎03-11-2019 06:06 PM

Hello Cisco security gurus,

Our client deploys an application that is based on IGMP. Hosts on one network segment are supposed to send IGMP joins that should go across the firewall. As part of this process router alert IP option is inserted into the packet.

As proof of the concept and just to confirm that with the proper policy-map configured on the firewall we have control over those packets we simulated it with just an IOS router configured with "ip igmp join-group 234.xx.xx.xx" under the interface facing the ASA firewall. It was observed that the router does send packets with 24 bytes IP header (with 4 bytes router alert IP option) even though not all routers were able to generate this packet.


The question is more about ASA behavior. Regardless of whether we allow or clear IP options with layer 7 policy-map we still see packets with IP options exiting the ASA.  I captured packets on the egress interface to confirm it.

These are syslog messages I see on the firewall console:

%ASA-6-106012: Deny IP from XXX.XXX.XXX.1 to 224.22.22.21, IP options: "Router Alert"

%ASA-7-710006: IGMP request discarded from XXX.XXX.XXX.1 to dmz:234.22.22.22

My question is why can't we control this behavior relying on the following statement

policy-map type inspect ip-options IP-OPT-PM

parameters

router-alert action clear | allow

Thanks in advance for a detailed and knowleadgable explanation

Labels:
0 Helpful
5 Replies 5

Andrew Phirsov
Level 7
Level 7

‎02-26-2013 11:41 PM

ASA certainly should clear that option/allow packet with option if that incpection policy is applient correctly. Are you sure u've implemented that inspect policy correctly? I mean matching rules in class map, implementing service policy to the ingress interface, etc.? 

0 Helpful

zheka_pefti
Level 2
Level 2
In response to Andrew Phirsov

‎02-27-2013 09:45 AM

Thanks for your input, Andrew,

I did everything regarding proper inspection policy application including applying it to the global policy and to the interface. Still same results and no difference:

policy-map type inspect ip-options IP-OPT-PM

  parameters

    router-alert action allow (also tried clear)

policy-map global_policy

  class inspection_default

 

  inspect ip-options IP-OPT-PM

service-policy global_policy global

or

class-map CM1

  match any

policy-map PM1

  class CM1

   inspect ip-options IP-OPT-PM

service-policy PM1 interface dmz

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to zheka_pefti

‎02-27-2013 10:45 AM

In the default policy map there's the inspection of ip options by default:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp error

  inspect icmp

  inspect esmtp

  inspect snmp

  inspect pptp

And that inspect option is configured to allow router-alert option:

ASA-FWL# sh run all policy-map | b ip-option

policy-map type inspect ip-options _default_ip_options_map

description Default IP-OPTIONS policy-map

parameters

  router-alert action allow

Probably that inspection rule takes precedense of what you're trying to configure.

If so, i'd suggest to delete that inspection from default policy-map and add yours, wich clears that option. It might help.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to Andrew Phirsov

‎02-27-2013 01:16 PM

Thanks for the suggestion, Andrew,

I know what I'm talking about and I did remove the default inspection under the default/global policy-map.

So, when I ran "show run all policy-map" I saw it and removed it:

policy-map type inspect ip-options _default_ip_options_map

description Default IP-OPTIONS policy-map

parameters

  router-alert action allow

policy-map global_policy

class inspection_default

  inspect ip-options _default_ip_options_map

ASA1(config)# policy-map global_policy

ASA1(config-pmap)#  class inspection_default

ASA1(config-pmap-c)# no inspect ip-options _default_ip_options_map

and then I added what I described in the previous post.

My point is that even I have the service-policy applied to the interface it should take precedence over the global service-policy. I have just ip-options inspection policy with both allow or clear applied to the interface and it doesn't make any difference on the overall behavior. I see the syslog messages that router-alert IP option was denied

%ASA-6-106012: Deny IP from X.X.X.2 to 224.Y.Y.Y IP options: "Router Alert"

%ASA-7-710006: IGMP request discarded from X.X.X.2 to dmz:224.Y.Y.Y

And what is more important and making no sense to me that those packets with router-alert IP option are seen exiting the firewall on the egress interface.

Perhaps we are looking at the very serious software defect

0 Helpful

Mustafa Al Housami
Level 1
Level 1
In response to zheka_pefti

‎02-07-2015 02:47 AM

Hi Guys,

Did you find any solution for this issue?

Please advise.

BR,

Mustafa

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card