Panos Kampanakis Tue, 05/25/2010 - 14:45
User Badges:
  • Cisco Employee,

You can use the "fragment chain" command.

The ASA interface has an MTU. But you can allow up to certain number of IP fragments. So for example if you use 1 then a total of 1500bytes of IP packets (header+payload) will be allowed per IP packet (even fragmented packets).


I hope it helps.


PK

jacques_henry696 Tue, 05/25/2010 - 23:27
User Badges:

Yes I can configure the MTU on the ASA interfaces, but the command is entered "globaly" on an interface, i.e. I mean that the command is applied for both incoming and outcoming packets. The thing is that I want to drop incoming packets on an interface which size is greater than, let's say 100 Bytes.


So with your method, do you think if I use the following commands, it will work?

#fragment chain 1 inside

#fragment size 100 inside


And even if it worked, would it be enable only for incoming packets?


Thanks!

Panos Kampanakis Wed, 05/26/2010 - 06:20
User Badges:
  • Cisco Employee,

I am afraid that is not something you can do on the ASA.


If you have a router then Flexible Packet Matching could very well do what you want matching on header fields and patterns in the packet.

Here is a doc that explains it http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.html


I hope it helps.


PK

jacques_henry696 Wed, 05/26/2010 - 07:02
User Badges:

All right, so it is not possible with an ASA. Now we know it's a fact!


But many thanks for the link about FPM, I think this is exactly what I needed. I'll take a look more deeply (if I can get my hand on a valid IOS file to test it!)


Again, thank you!

Panos Kampanakis Wed, 05/26/2010 - 07:06
User Badges:
  • Cisco Employee,

Yup, FPM is pretty useful. Little tricky but useful as it looks deeply into the packet.


PK

Actions

This Discussion