Thanks, Ben. 


Johan Bornman
Integrated Systems Consulting (Pty) Ltd
Cell: 082 783 3635

On 13 Sep 2012, at 6:29, "Ben Shaw" <[email protected]> wrote:

> Hi All
> 
> having a look at the class-map command 'match port' it seems to me that this 
> port only matches the destination port of a UDP or TCP flow. As an example, I 
> configured a class map to match port 179 in order to configure TCP parameters 
> on the global policy to get BGP authentication working. Below is the relevant 
> configuration:
> 
> tcp-map tmap1
>   tcp-options range 19 19 allow
> class-map BGP
>  match port tcp eq bgp
> policy-map global_policy
>  class BGP
>   set connection random-sequence-number disable
>   set connection advanced-options tmap1
> 
> When I test the functionality of this configuration with the "show 
> service-policy flow" command in either direction I get the following:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 50000 host 
> 174.1.127.5 eq 179
> Global policy:
>   Service-policy: global_policy
>     Class-map: BGP
>       Match: port tcp eq bgp
>       Action:
>         Input flow:  set connection random-sequence-number disable
>   set connection advanced-options tmap1
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 179 host 
> 174.1.124.5 eq 50000
> Global policy:
>   Service-policy: global_policy
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 50000 host 
> 174.1.124.5 eq 179
> Global policy:
>   Service-policy: global_policy
>     Class-map: BGP
>       Match: port tcp eq bgp
>       Action:
>         Input flow:  set connection random-sequence-number disable
>   set connection advanced-options tmap1
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 179 host 
> 174.1.127.5 eq 50000
> Global policy:
>   Service-policy: global_policy
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> As can be seen above, the BGP class map is matched regardless of which side 
> of the firewall the peering is initiated on but not for TCP response packets 
> (source port 179). As a side note - it would seem that considering the BGP 
> peering still forms with this configuration that allowing TCP option 19 and 
> disabling TCP randomization is only required for traffic from the initiating 
> peer (to destination port 179) and not required for TCP response packets.
> 
> But what about in other situations where it is important that both directions 
> of a flow are matched by the class map - initiating traffic to the 
> destination port defined in the class map and from the same port for response 
> traffic. In such a case, the 'match port' command is not suitable as it will 
> not match return traffic using the defined port as the source port. It is 
> required to use an ACL like below
> 
> access-list BGP extended permit tcp any eq bgp any
> access-list BGP extended permit tcp any any eq bgp
> class-map BGP
>  match access-list BGP
> 
> As can be seen below, the flow is now matched in both directions:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 50000 host 
> 174.1.127.5 eq 179
> Global policy:
>   Service-policy: global_policy
>     Class-map: BGP
>       Match: access-list BGP
>         Access rule: permit tcp any any eq bgp
>       Action:
>         Input flow:  set connection random-sequence-number disable
>   set connection advanced-options tmap1
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 179 host 
> 174.1.124.5 eq 50000
> Global policy:
>   Service-policy: global_policy
>     Class-map: BGP
>       Match: access-list BGP
>         Access rule: permit tcp any eq bgp any
>       Action:
>         Input flow:  set connection random-sequence-number disable
>   set connection advanced-options tmap1
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 50000 host 
> 174.1.124.5 eq 179
> Global policy:
>   Service-policy: global_policy
>     Class-map: BGP
>       Match: access-list BGP
>         Access rule: permit tcp any any eq bgp
>       Action:
>         Input flow:  set connection random-sequence-number disable
>   set connection advanced-options tmap1
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 179 host 
> 174.1.127.5 eq 50000
> Global policy:
>   Service-policy: global_policy
>     Class-map: BGP
>       Match: access-list BGP
>         Access rule: permit tcp any eq bgp any
>       Action:
>         Input flow:  set connection random-sequence-number disable
>   set connection advanced-options tmap1
>     Class-map: class-default
>       Match: any
>       Action:
>       Input flow:
> 
> Anyway, this did start as a question to clarify my understanding but I seemed 
> to answer my own question and thought it may be worthwhile sharing anyway. Of 
> note is that if you need to perform some kind of advanced policy on traffic 
> in a TCP/UDP flow bidirectionally, the 'match port' command is not suitable 
> as it will only work in one direction, you will need something like an ACL 
> matching the port as both a source and destination port.
> 
> Ben
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com
> 
> Are you a CCNP or CCIE and looking for a job? Check out 
> www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to