ASA config help needed, ip options, ip inspection

oldmike924 · ‎12-30-2011

Hi,

I'm receiving the following error for igmpv2 traffic:

6

Dec 30 2011

12:08:06

172.28.9.5

225.10.249.12

Deny IP from 172.28.9.5 to 225.10.249.12, IP options: "Router Alert"

The syslog ID is 106012 and the explanation to correct this makes no sense to me. In other discussions I've seen that this is related to a global policy but I'm not sure how or where to get around it. Thanks.

Julio Carvajal · ‎12-30-2011

Hello Mike,

What version are you running.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

oldmike924 · ‎01-03-2012

Julio,

ASA 8.25, ASDM 6.45.

Thanks

mirober2 · ‎01-04-2012

Hello,

By default, the ASA will drop packets that have the Router Alert option set. If you want to allow these packets through the ASA, you can configure a custom inspection via MPF:

policy-map type inspect ip-options allow-router-alert
    parameters
       router-alert action allow
policy-map global_policy
    class inspection_default
       inspect ip-options allow-router-alert
service-policy global_policy global

You can find more details here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1548725

-Mike

oldmike924 · ‎01-09-2012

Mike,

I tried adding these, no go, same failures for router alert, even after reload.

Mike

mirober2 · ‎01-09-2012

Hi Mike,

Can you share a sanitized copy of the config you used and the output of 'show service-policy' after you start seeing the drops?

-Mike

oldmike924 · ‎01-09-2012

Mike,

Here you go:

ASA Version 8.2(5)

!

hostname

enable password encrypted

passwd encrypted

multicast-routing

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.19.0.2 255.255.255.252

igmp query-max-response-time 20

igmp query-interval 10

!

interface Vlan2

nameif outside

security-level 0

ip address 172.29.9.1 255.255.255.248

igmp query-max-response-time 20

igmp query-interval 10

!

pim rp-address 10.18.1.1 pimACL_RP

pim old-register-checksum

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list pimACL_RP standard permit 225.17.0.0 255.255.0.0

access-list pimACL_RP standard permit 225.18.0.0 255.255.0.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit udp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route inside 10.17.0.0 255.255.0.0 172.19.0.1 1

route inside 10.18.0.0 255.255.0.0 172.19.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.17.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.17.2.1 source inside prefer

webvpn

!

class-map inspection_default

!

policy-map type inspect ip-options allow-router-alert

parameters

router-alert action allow

policy-map global_policy

class inspection_default

inspect ip-options allow-router-alert

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

Output of sh service-policy:

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: ip-options allow-router-alert, packet 0, drop 0, reset-drop 0

I'm attempting to get this thing to use PIM, and I see no joins/prunes in statistics either. I do see the requests in the 6505 where the RP resides. I increased the query interval for IGMP to 10 sec. which means I see the router alerts that often in ASDM log viewer.

6

Jan 09 2012

14:59:00

172.29.9.5

225.17.249.5

Deny IP from 172.29.9.5 to 225.17.249.5, IP options: "Router Alert"

Mike

mirober2 · ‎01-09-2012

Hi Mike,

Oh ok, I should have asked what type of traffic it was before suggesting the config. The inspection_default class is not matching this traffic. Try this instead:

access-list myacl permit ip host 172.29.9.5 host 225.17.249.5
!
class-map myclass
    match access-list myacl
!
policy-map type inspect ip-options allow-router-alert
    parameters
        router-alert action allow
policy-map global_policy
    class myclass 
        inspect ip-options allow-router-alert 
!
service-policy global_policy global

If there are any established conns for these hosts when you configure this policy, make sure to clear them out before testing again.

-Mike