Ahhhhrr, yes, it seems I mixed IP Options with TCP options here. TCP Options are cleared and the packet is passed out. IP Options not.
Thanks Tyson for bringing this up. -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/26 Tyson Scott <[email protected]> > Piotr, > > > > Are you sure about your last statement on IP Options? The TCP Normalizer > allows you to selectively allow/control TCP Options, which are in the TCP > header. IP Option control as shown below looks to be a new feature of > 8.2.2. My understanding is that prior to 8.2.2 all IP options were dropped > by the ASA. Please correct me if I am wrong? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Matusiak > *Sent:* Monday, January 25, 2010 6:35 AM > *To:* [email protected] > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ASA Release: 8.2.2.ED > > > > Hi Simon, > > Packets with IP Options are passed by default by the ASA, the only thing is > that the IP Options are cleared before passing. > For the new feature there are three IP Options which can be configured by > "paramaters" inside the policy-map type inspect. > > IP Options inspection can check for the following three IP options in a > packet: > > - End of Options List (EOOL) or IP Option 0—This option, which contains > just a single zero byte, appears at the end of all options to mark the end > of a list of options. This might not coincide with the end of the header > according to the header length. > > - No Operation (NOP) or IP Option 1—The Options field in the IP header can > contain zero, one, or more options, which makes the total length of the > field variable. However, the IP header must be a multiple of 32 bits. If the > number of bits of all options is not a multiple of 32 bits, the NOP option > is used as "internal padding" to align the options on a 32-bit boundary. > > - Router Alert (RTRALT) or IP Option 20—This option notifies transit > routers to inspect the contents of the packet even when the packet is not > destined for that router. This inspection is valuable when implementing RSVP > and similar protocols require relatively complex processing from the routers > along the packets delivery path. > > > Although, I haven't checked that yet on the hardware, I think allowing > other IP Options (other than mentioned above) still must be configured in > the same way as it was previously (TCP normalization). > > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security) > > 2010/1/25 <[email protected]> > > > Hi, > I just took a quick overview of the release notes of ASA Release: > 8.2.2.ED and notices this: > > Inspection for IP Options: > You can now control which IP packets with specific IP options should > be allowed through the adaptive security appliance. You can also clear > IP options from an IP packet, and then allow it through the adaptive > security appliance. Previously, all IP options were denied by default, > except for some special cases. > > Note This inspection is enabled by default. The following command is > added to the default global service policy: inspect ip-options. > Therefore, the adaptive security appliance allows RSVP traffic that > contains packets with the Router Alert option (option 20) when the > adaptive security appliance is in routed mode. > > The following commands were introduced: policy-map type inspect > ip-options, inspect ip-options, eool, nop. > > > What is the difference between using this option compared to allow the > packet with the ip option? Does it mean that i can clear the ip option > and then allow the packet with the cleared ip option? I'm unsure if > thsi was possible before. > > Cheers > Simon > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
