Cisco ASA - maximum packet size

jacques_henry696 · ‎05-25-2010

Hello !

Is there a way to configure my ASA so that it can block an IP packet (TCP or UDP) based on its size (total size, or even better, on the IP payload)?

Thanks!

Panos Kampanakis · ‎05-25-2010

You can use the "fragment chain" command.

The ASA interface has an MTU. But you can allow up to certain number of IP fragments. So for example if you use 1 then a total of 1500bytes of IP packets (header+payload) will be allowed per IP packet (even fragmented packets).

I hope it helps.

PK

jacques_henry696 · ‎05-25-2010

Yes I can configure the MTU on the ASA interfaces, but the command is entered "globaly" on an interface, i.e. I mean that the command is applied for both incoming and outcoming packets. The thing is that I want to drop incoming packets on an interface which size is greater than, let's say 100 Bytes.

So with your method, do you think if I use the following commands, it will work?

#fragment chain 1 inside

#fragment size 100 inside

And even if it worked, would it be enable only for incoming packets?

Thanks!

Panos Kampanakis · ‎05-26-2010

I am afraid that is not something you can do on the ASA.

If you have a router then Flexible Packet Matching could very well do what you want matching on header fields and patterns in the packet.

Here is a doc that explains it http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.html

I hope it helps.

PK

jacques_henry696 · ‎05-26-2010

All right, so it is not possible with an ASA. Now we know it's a fact!

But many thanks for the link about FPM, I think this is exactly what I needed. I'll take a look more deeply (if I can get my hand on a valid IOS file to test it!)

Again, thank you!

Panos Kampanakis · ‎05-26-2010

Yup, FPM is pretty useful. Little tricky but useful as it looks deeply into the packet.

PK