1. Identify the traffic on which you want to perform Modular Policy Framework actions by creating Layer 3/4 class maps
Example:access-list SSH extended permit tcp any any eq ssh class-map SSH match access-list SSH
2. Create the TCP-MAP
ciscoasa(config)# tcp-map TCP_NORMALIZATION
ciscoasa(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission Check retransmit data, disabled by default
checksum-verification Verify TCP checksum, disabled by default
default Set a command to its defaults
exceed-mss Packet that exceed the Maximum Segment Size set by
peer, default is to allow packet
invalid-ack Packets with invalid ACK, default is to drop packet
no Negate a command or set its defaults
reserved-bits Reserved bits in TCP header are set, default is to
allow packet
seq-past-window Packets that have past-window seq numbers, default is
to drop packet
syn-data TCP SYN packets that contain data, default is to
allow packet
synack-data TCP SYN-ACK packets that contain data, default is to
drop packet
tcp-options Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation Unexpected window size variation, default is to allow
connection
Example:
tcp-map TCP_NORMALIATION
check-retransmission
checksum-verification
reserved-bits clear
3.Create the Layer 3/4 policy map
policy-map policy_inside
class SSH
set connection advanced-options TCP_NORMALIZATION
4.Apply the policy map using a service policy (global or at interface-level)
service-policy policy_inside interface outside
No comments:
Post a Comment