Piotr,
Are you sure about your last statement on IP Options? The TCP Normalizer allows you to selectively allow/control TCP Options, which are in the TCP header. IP Option control as shown below looks to be a new feature of 8.2.2. My understanding is that prior to 8.2.2 all IP options were dropped by the ASA. Please correct me if I am wrong? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Matusiak Sent: Monday, January 25, 2010 6:35 AM To: [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ASA Release: 8.2.2.ED Hi Simon, Packets with IP Options are passed by default by the ASA, the only thing is that the IP Options are cleared before passing. For the new feature there are three IP Options which can be configured by "paramaters" inside the policy-map type inspect. IP Options inspection can check for the following three IP options in a packet: - End of Options List (EOOL) or IP Option 0-This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length. - No Operation (NOP) or IP Option 1-The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as "internal padding" to align the options on a 32-bit boundary. - Router Alert (RTRALT) or IP Option 20-This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path. Although, I haven't checked that yet on the hardware, I think allowing other IP Options (other than mentioned above) still must be configured in the same way as it was previously (TCP normalization). HTH, -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/25 <[email protected]> Hi, I just took a quick overview of the release notes of ASA Release: 8.2.2.ED and notices this: Inspection for IP Options: You can now control which IP packets with specific IP options should be allowed through the adaptive security appliance. You can also clear IP options from an IP packet, and then allow it through the adaptive security appliance. Previously, all IP options were denied by default, except for some special cases. Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the adaptive security appliance allows RSVP traffic that contains packets with the Router Alert option (option 20) when the adaptive security appliance is in routed mode. The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop. What is the difference between using this option compared to allow the packet with the ip option? Does it mean that i can clear the ip option and then allow the packet with the cleared ip option? I'm unsure if thsi was possible before. Cheers Simon _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
