Last active
August 29, 2015 13:57
-
-
Save arusso/9799950 to your computer and use it in GitHub Desktop.
An example configuration that tells the tcp-normalization engine on Cisco ASA appliances to allow the urgent flag for traffic that matches an access list.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ! | |
| ! setup an ACL that matches hosts whose urgent flag is to be left untouched | |
| ! through the ASA Firewall. This could probably be limited to a particular port | |
| ! if we so chose. | |
| ! | |
| access-list extended acl_permit_urgent_flag permit <host/network> <netmask> | |
| ! | |
| ! create a tcp-map (packet normalization policy) that allows the urgent-flag through | |
| ! identified packets | |
| ! | |
| tcp-map tmap_allow_urgent_flag | |
| urgent-flag allow | |
| ! | |
| ! create a class map (packet identification policy) that identifies packets | |
| ! that match a particular access-list | |
| ! | |
| class-map cmap_urgent_flag_traffic | |
| match access-list acl_permit_urgent_flag | |
| ! | |
| ! define the policy-map to apply to an interface. we can only specify a single | |
| ! policy-map per interface, so make sure we name it appropriately. | |
| ! | |
| policy-map pmap_<interface_name> | |
| class cmap_urgent_flag_traffic | |
| set connection advanced-options tmap_allow_urgent_flag | |
| ! | |
| ! define a service policy (policy-map + interface) that applies a policy-map to | |
| ! a particular interface | |
| ! | |
| service-policy pmap_<interface_name> <interface_name> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment