Cisco ASA 5505 Configuration Manual page 1296

Configuring IPsec
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Pre-Fragmentation
Use this pane to set the IPsec pre-fragmentation policy and do-not-fragment (DF) bit policy for any
interface.
The IPsec pre-fragmentation policy specifies how to treat packets that exceed the maximum transmission
unit (MTU) setting when tunneling traffic through the public interface. This feature provides a way to
handle cases where a router or NAT device between the adaptive security appliance and the client rejects
or drops IP fragments. For example, suppose a client wants to FTP get from an FTP server behind a
adaptive security appliance. The FTP server transmits packets that when encapsulated would exceed the
adaptive security appliance's MTU size on the public interface. The selected options determine how the
adaptive security appliance processes these packets. The pre-fragmentation policy applies to all traffic
travelling out the adaptive security appliance public interface.
The adaptive security appliance encapsulates all tunneled packets. After encapsulation, the adaptive
security appliance fragments packets that exceed the MTU setting before transmitting them through the
public interface. This is the default policy. This option works for situations where fragmented packets
are allowed through the tunnel without hindrance. For the FTP example, large packets are encapsulated
and then fragmented at the IP layer. Intermediate devices may drop fragments or just out-of-order
fragments. Load-balancing devices can introduce out-of-order fragments.
When you enable pre-fragmentation, the adaptive security appliance fragments tunneled packets that
exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the adaptive
security appliance clears the DF bit, fragments the packets, and then encapsulates them. This action
creates two independent non-fragmented IP packets leaving the public interface and successfully
transmits these packets to the peer site by turning the fragments into complete packets to be reassembled
at the peer site. In our example, the adaptive security appliance overrides the MTU and allows
fragmentation by clearing the DF bit.
Cisco ASA 5500 Series Configuration Guide using ASDM
63-16
Service Group—Indicates that you are specifying the name of a service group for the source
–
port.
– Service (unlabeled)—Choose the service group to use.
ICMP Type—Specifies the ICMP type to use. The default is any. Click the ... button to display
–
a list of available types.
Options
– Time Range—Specify the name of an existing time range or create a new range.
... —Displays the Add Time Range pane, on which you can define a new time range.
–
Please enter the description below (optional)—Provides space for you to enter a brief
–
description of the rule.
Security Context
Transparent Single
—
•
Chapter 63
Multiple
Context System
— —
Configuring IKE, Load Balancing, and NAC
OL-20339-01