Solved: Enable ip-options on Cisco ASA 8.2

uchiha-itachi · ‎11-04-2016

Hi,

having a problem regarding NOOP option, bellow message error, I want to allow nop action according to this discussion

%ASA-6-106012: Deny IP from x.x.x.x to y.y.y.y , IP options: "Noop"

https://supportforums.cisco.com/discussion/11646641/unfamiliar-asa-log-message

but, I dont find inspect ip-options under protocol inspection section (see attached)

policy-map type inspect ip-options Options-pmap
^
ERROR: % Invalid input detected at '^' marker.

How can I enable ip-options?

Thank you!

Kanwaljeet Singh · ‎11-07-2016

Hi,

The command was introduced in 8.2(2). You would need to upgrade to get that command option.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html#wp1063588

"You can now control which IP packets with specific IP options should be allowed through the ASA. You can also clear IP options from an IP packet, and then allow it through the ASA. Previously, all IP options were denied by default, except for some special cases.

Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode.

The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop."

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

uchiha-itachi · ‎11-07-2016

Hi,

any idea?

thanks

Kanwaljeet Singh · ‎11-07-2016

Hi,

Which version of ASA are you running?

i do see in my lab FW that option is there. But mine is latest version 9.6.

ciscoasa(config)# policy-map type inspect ?

configure mode commands/options:
dcerpc             Configure a policy-map of type DCERPC
diameter           Configure a policy-map of type Diameter
dns                Configure a policy-map of type DNS
esmtp              Configure a policy-map of type ESMTP
ftp                Configure a policy-map of type FTP
gtp                Configure a policy-map of type GTP
h323               Configure a policy-map of type H.323
http               Configure a policy-map of type HTTP
im                 Configure a policy-map of type IM
ip-options         Configure a policy-map of type IP-OPTIONS
ipsec-pass-thru    Configure a policy-map of type IPSEC-PASS-THRU
ipv6               Configure a policy-map of type IPv6
lisp               Configure a policy-map of type LISP
mgcp               Configure a policy-map of type MGCP
netbios            Configure a policy-map of type NETBIOS
radius-accounting Configure a policy-map of type Radius Accounting
rtsp               Configure a policy-map of type RTSP
scansafe           Configure a policy-map of type SCANSAFE
sctp               Configure a policy-map of type SCTP
sip                Configure a policy-map of type SIP
skinny             Configure a policy-map of type Skinny

Can you paste "show version" output from your firewall.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

uchiha-itachi · ‎11-07-2016

Hi,

Thank you for your reply.

Asa version:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)

System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 250
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 5000
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5550 VPN Premium license.

Inspection type:

ASA(config)# policy-map type inspect ?
configure mode commands/options:
dcerpc             Configure a policy-map of type DCERPC
dns                Configure a policy-map of type DNS
esmtp              Configure a policy-map of type ESMTP
ftp                Configure a policy-map of type FTP
gtp                Configure a policy-map of type GTP
h323               Configure a policy-map of type H.323
http               Configure a policy-map of type HTTP
im                 Configure a policy-map of type IM
ipsec-pass-thru    Configure a policy-map of type IPSEC-PASS-THRU
mgcp               Configure a policy-map of type MGCP
netbios            Configure a policy-map of type NETBIOS
radius-accounting Configure a policy-map of type Radius Accounting
rtsp               Configure a policy-map of type RTSP
sip                Configure a policy-map of type SIP
skinny             Configure a policy-map of type Skinny

I think ip-options is supported, this is why I have the error message regarding NOOP, but I don't know how to enable this option and tune it!

Thanks.

Regards,

Kanwaljeet Singh · ‎11-07-2016

Hi,

The command was introduced in 8.2(2). You would need to upgrade to get that command option.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html#wp1063588

"You can now control which IP packets with specific IP options should be allowed through the ASA. You can also clear IP options from an IP packet, and then allow it through the ASA. Previously, all IP options were denied by default, except for some special cases.

Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode.

The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop."

Regards,

Kanwal

Note: Please mark answers if they are helpful.

uchiha-itachi · ‎11-07-2016

Hi,

Ok, it's clear.

Thank you very much!

Regards,

Kanwaljeet Singh · ‎11-07-2016

Hi,

I am glad i could help and you are welcome!

Regards,

Kanwal

Note: Please mark answers if they are helpful.