ASA解决MSS过大的经典案例

PIX/ASA7.0Issue:MSSExceeded−HTTPClientsCannotBrowsetoSomeWebSitesDocumentID:65436IntroductionPrerequisitesRequirementsComponentsUsedRelatedProductsConventionsConfigureNetworkDiagramPIXSecurityAppliance7.0ConfigurationTroubleshootWorkaroundVerifyNetProDiscussionForums−FeaturedConversationsRelatedInformationIntroductionThisdocumentaddressestheproblemwhensomewebsitesarenotaccessiblethroughaPIXorAdaptiveSecurityAppliance(ASA)thatruns7.0orlatercode.The7.0releaseintroducesseveralnewsecurityenhancements,oneofwhichisacheckforTCPendpointswhichadheretotheadvertisedMaximumSegmentSize(MSS).InanormalTCPsession,theclientsendsaSYNpackettotheserver,withtheMSSincludedwithintheTCPoptionsoftheSYNpacket.Theserver,uponreceiptoftheSYNpacket,shouldrecognizetheMSSvaluesentbytheclientandthensenditsownMSSvalueintheSYN−ACKpacket.Onceboththeclientandtheserverareawareofeachother'sMSS,neitherpeershouldsendapackettotheotherthatisgreaterthanthatpeer'sMSS.AdiscoveryhasbeenmadethatthereareafewHTTPserversontheInternetthatdonothonortheMSSthattheclientadvertises.Subsequently,theHTTPserversendsdatapacketstotheclientthatarelargerthantheadvertisedMSS.Beforerelease7.0,thesepacketswereallowedthroughthePIXSecurityAppliance.Withthesecurityenhancementincludedinthe7.0softwarerelease,thesepacketsaredroppedbydefault.ThisdocumentisdesignedtoassistthePIX/ASASecurityApplianceadministratorinthediagnosisofthisproblemandtheimplementationofaworkaroundtoallowthepacketsthatexceedtheMSS.PrerequisitesRequirementsTherearenospecificrequirementsforthisdocument.ComponentsUsedTheinformationinthisdocumentisbasedonaCiscoPIX525SecurityAppliancethatruns7.0.1software.Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.RelatedProductsYoucanalsousethisdocumentwiththesehardwareandsoftwareversions:AllotherCiscoPIXSecurityApplianceplatformsthatcanrunthe7.0release.Theseplatformsincludethe515,515E,and535.•AllCiscoASAplatforms.Theseplatformsincludethe5510,5520,and5540.•ConventionsRefertotheCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.ConfigureThissectionpresentsyouwiththeinformationtoconfigurethefeaturesthisdocumentdescribes.Note:UsetheCommandLookupTool(registeredcustomersonly)tofindadditionalinformationonthecommandsthisdocumentuses.NetworkDiagramThisdocumentusesthisnetworksetup:PIXSecurityAppliance7.0ConfigurationTheseconfigurationcommandsareaddedtoaPIX7.0defaultconfigurationtoallowtheHTTPclienttocommunicatewiththeHTTPserver.PIX7.0.1Configurationpixfirewall(config)#interfaceEthernet0pixfirewall(config−if)#speed100pixfirewall(config−if)#duplexfullpixfirewall(config−if)#nameifoutsidepixfirewall(config−if)#security−level0pixfirewall(config−if)#ipaddress192.168.9.30255.255.255.0pixfirewall(config−if)#exitpixfirewall(config)#interfaceEthernet1pixfirewall(config−if)#speed100pixfirewall(config−if)#duplexfullpixfirewall(config−if)#nameifinsidepixfirewall(config−if)#security−level100pixfirewall(config−if)#ipaddress10.0.0.1255.255.255.0pixfirewall(config−if)#exitpixfirewall(config)#global(outside)1interfacepixfirewall(config)#nat(inside)110.0.0.0255.0.0.0pixfirewall(config)#routeoutside0.0.0.00.0.0.0192.168.9.21TroubleshootIfaparticularwebsiteisnotaccessiblethroughthePIX/ASASecurityAppliance,completethesestepstotroubleshoot.YoufirstneedtocapturethepacketsfromtheHTTPconnection.Inordertocollectthepackets,therelevantIPaddressesoftheHTTPserverandclientneedtobeknown,aswellastheIPaddressthattheclientistranslatedtowhenittraversesthePIXSecurityAppliance.Intheexamplenetwork,theHTTPserverisaddressedat192.168.9.2,theHTTPclientisaddressedat10.0.0.2,andtheHTTPclientaddressesistranslatedto192.168.9.30aspacketsleavetheoutsideinterface.YoucanusethecapturefeatureofthePIX/ASASecurityAppliancetocollectthepackets,oryoucanutilizeanexternalpacketcapture.Ifyouintendtousethecapturefeature,theadministratorcanalsoutilizeanewcapturefeatureincludedinthe7.0releasethatallowstheadministratortocapturepacketsthataredroppedduetoaTCPanomaly.Note:Someofthecommandsinthesetablesarewrappedtoasecondlineduetospatialreasons.Defineapairofaccess−listswhichidentifythepacketsastheyingressandegresstheoutsideandinsideinterfaces.Access−listConfigurationforPacketCapturepixfirewall(config)#access−listcapture−list−inline1permitiphost10.0.0.2host192.168.9.2pixfirewall(config)#access−listcapture−list−inline2permitiphost192.168.9.2host10.0.0.2pixfirewall(config)#access−listcapture−list−outline1permitiphost192.168.9.30host192.168.9.2pixfirewall(config)#access−listcapture−list−outline2permitiphost192.168.9.2host192.168.9.301.Enablethecapturefeatureforboththeinsideandoutsideinterface.AlsoenablethecaptureforTCP−specificMSS−exceededpackets.CaptureConfigurationforPacketCapturepixfirewall(config)#capturecapture−outsideaccess−listcapture−list−outpacket−length1518interfaceoutsidepixfirewall(config)#capturecapture−insideaccess−listcapture−list−inpacket−lengt