Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1138
Views
0
Helpful
3
Replies

match tcp flags in access-list?

Bradley Urberg Carlson
Level 1
Level 1

‎10-02-2012 02:40 PM - edited ‎03-11-2019 05:03 PM

Is there a way to match tcp flags in an access-list on an ASA, e.g.:

  match-any +syn +fin +rst

or

   match byte[13] eq 2

   match byte[13] eq 17

   match byte[13] eq 4

?

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-02-2012 03:33 PM

Hello Bradley,

No, that is done on an IOS setup.

The ASA as it;s a  stateful firewall by default do not need that setup, he will perform a deep packet inspection of the TCP flags without any configuration required for that.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Bradley Urberg Carlson
Level 1
Level 1
In response to Julio Carvajal

‎10-02-2012 03:40 PM

Thanks, Julio.  I would like to filter, in order to reduce the amount of data captured by a packet-capture.  Not for security purposes.

For example, when debugging a problem, sometimes it helps to view all flows through an interface; but you don't want to see each packet of every flow.  Just seeing the start and end of each TCP flow would be very useful.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Bradley Urberg Carlson

‎10-02-2012 03:56 PM

Hello Bradley,

Got your point but the answer is no.

The ASA will show you the entire connection, you cannot specify on an ACL wheter you want to match a RST or a SYN flag on a tcp session.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card