10-30-2012 05:48 AM - edited 03-11-2019 05:16 PM
Is anyone familiar with:
Deny IP 'x.x.x.x' to 'y.y.y.y', IP options: "Noop"
Explanation: This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action:
Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
Any guidance would be greatly appreciated, thanks!
10-30-2012 10:42 AM
Hello,
As a security device the ASA will drop any packets containing any information on the ip options fields, this is the expected behavior of a firewall.
Now there are 3 options that you could configure your ASA to allow if need it. They are option 0,1 and 20.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1548725
Check that document for more information about the ip inspection on the ASA
Remember to rate all of the post, if you need any assistance on that, let me know, I will let you know how.
Regards,
Julio
01-14-2013 09:06 AM
Hello,
There is another article showing how to enable ip-options for RSVP traffic:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bbcd09.shtml
Please note however that if you have an application that is using NOOP, EOOL or RTRALT but in traffic different than RSVP then you need different approach. This is because the default ip-options inspection class is matching only the RSVP traffic.
Configuration example:
10.0.0.1 is an application server. It is sending IP packets with EOOL and NOOP options towards the client. The client is 192.168.1.10. The client is initiating the connection.
1. Create an ACL that will match the traffic from the initiator to the server.
ciscoasa(config)# access-list 100 extended permit ip 192.168.1.10 host 10.0.0.1
You can make it more tight, just match the traffic from the initiatior side.
2. Create a class map matching the interesting traffic:
ciscoasa(config)# class-map Options-cmap
ciscoasa(config-cmap)# match access-list 100
3. Configure policy map with options permitted:
ciscoasa(config)# policy-map type inspect ip-options Options-pmap
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# eool action allow
ciscoasa(config-pmap-p)# nop action allow
4. Insert a new class into the global_policy:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class Options-cmap
ciscoasa(config-pmap-c)# inspect ip-options Options-pmap
The result should be:
ciscoasa# show service-policy inspect ip-options
Global policy:
Service-policy: global_policy
Class-map: Options-cmap
Inspect: ip-options Options-pmap, packet 100, lock fail 0, drop 0, reset-drop 0
EOOL: allow 12, clear 0
NOP: allow 18, clear 0
Kind regards,
Mateusz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide