What are TCP options?
---------------------------------
TCP has provision for optional header fields identified by an option type
field. Options 0 and 1 are exactly one octet which is their type field. All
other options have their one octet type field, followed by a one octet length
field, followed by length-2 octets of option data.
The standard TCP options are Type 0 (End of Option List), 1 (No-Operation), 2
(Maximum Segment Size, len 4), 3 (WSOPT - Window Scale, len 3), 4 (SACK
Permitted, len 2), 5 (SACK, len N), and 8 (TSOPT - Time Stamp Option, len 10).
Type 6-7, and 9-255 have no widespread use and are usually blocked by firewall
policies. In fact, Cisco recommends blocking these TCP option types in PIX.
Riverbed uses Type 76 which falls in the Unassigned Type range 28-252.
Some firewall configurations will strip TCP options or else drop packets with
these options. (For example, Cisco PIX Firewall IOS 7.0 may block the
auto-discovery probe.)
How do you allow TCP option 76 in PIX?
--------------------------------------------------
Version 7.0(1) introduced the command "tcp-option" to allow or clear TCP
options.
Here is a sample configuration:
PIX(config)# access-list TCP extended permit tcp any any
PIX(config)# tcp-map tmap
PIX(config-tcp-map)# tcp-options range 76 76 allow
PIX(config)# class-map cmap
PIX(config-cmap)# match access-list TCP
PIX(config)# policy-map pmap
PIX(config-pmap)# class cmap
PIX(config-pmap)# set connection advanced-options tmap
PIX(config)# service-policy pmap global
Errors with Existing Service Policy
------------------------------------------
If you are already using a service policy or you get an error "ERROR: Policy
map global_policy is already configured as a service policy," you need to modify
the configuration.
(Examine the options from the running configuration to see if a service policy
exists.)
If a service policy is already defined, use this set of commands ? the last
three commands are different:
ciscoasa# config t
ciscoasa(config)# access-list TCP extended permit tcp any any
ciscoasa(config)# tcp-map tmap
ciscoasa(config-tcp-map)# tcp-options range 76 76 allow
ciscoasa(config-tcp-map)# class-map cmap
ciscoasa(config-cmap)# match access-list TCP
ciscoasa(config-cmap)# policy-map pmap
ciscoasa(config-pmap)# class cmap
ciscoasa(config-pmap-c)# set connection advanced-options tmap
ciscoasa(config)# policy-map global_policy
ciscoasa(config-global_policy)# class cmap
ciscoasa(config-global_policy-c)# set connection advanced-options tmap
These commands modify the service policy named "global_policy." So instead of
defining a policy map called pmap, we modify and use the existing policy map
which is called global_policy.
Now the Steelheads auto-discover each other and work as expected.
(You can delete the policy map you created earlier called pmap if you want.)
2 comments:
Hi prabhat
Thanks for this nice doc. I have a similar setup where Riverbed appliance is planned to place behind ASA (8.6) firewall in Serial HA mode. I want to make communication between riverbed appliance across MPLS network. Setup is as like as : Branch & DR -->MPLS-->Router-->ASA --> switch--> Riverbed in serial HA --> IPS --> Core switch. Can u please help me to configure ASA and riverbed appliance in such scenario. IPSEC tunnel from branch is running on ASA firewall
Hi prabhat
Thanks for this nice doc. I have a similar setup where Riverbed appliance is planned to place behind ASA (8.6) firewall in Serial HA mode. I want to make communication between riverbed appliance across MPLS network. Setup is as like as : Branch & DR -->MPLS-->Router-->ASA --> switch--> Riverbed in serial HA --> IPS --> Core switch. Can u please help me to configure ASA and riverbed appliance in such scenario. IPSEC tunnel from branch is running on ASA firewall
Post a Comment