Each TCP device on a network has an associated ‘ceiling’ on TCP Data Size, called the MSS (Maximum Segment Size). The TCP MSS is negotiated between two communicating devices via the TCP SYN and SYN-ACK packets. After this negotiation, each TCP device must comply with the advertised MSS of the peer device, and should not send data on the segment that is larger than the advertised MSS of the device to which it is sending.
Unfortunately, there are cases that even if the two TCP endpoints negotiate a certain size of TCP MSS, one of the devices sends data to the other device which is larger than the MSS. With the new version of the Cisco ASA (or PIX) firewall with software version 7.x and up, the above situation is not accepted by the firewall which drops the packets that do not adhere to the negotiated MSS size. The firewall does this to protect the devices from buffer overflow attacks.
The problem addressed here is when an FTP Client located on the INSIDE of a Cisco ASA firewall, can not access an FTP Server machine located on the OUTSIDE of the firewall, as shown on the diagram below. The same problem can also happen with any TCP application (e.g HTTP), not just FTP.
The initial firewall configuration is as following
pixfirewall(config-if)#ip address 192.168.9.30 255.255.255.0
pixfirewall(config-if)#ip address 10.0.0.1 255.255.255.0
pixfirewall(config)#global (outside) 1 interface
pixfirewall(config)#nat (inside) 1 10.0.0.0 255.0.0.0
pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 192.168.9.2 1
The problem is observed when looking at the logs of the firewall:
Sep 19 2007 06:55:58: %ASA-4-419001: Dropping TCP packet from INSIDE:10.0.0.2/38003 to OUTSIDE:192.168.9.2/21, reason: MSS exceeded, MSS 1390, data 1460
The log output above shows that the FTP client and server negotiated an MSS value of 1390, but the data sent is 1460, therefore the firewall drops the packet.
There are two solutions for the MSS exceeded problem, one which can be applied globally on the ASA firewall, and one which can be applied for the specific connection only:
Solution A (Applied Globally on Firewall)
There is a global command on the ASA firewall with which you can override the MSS value negotiated between the TCP devices. This command is shown below:
firewall(config)#sysopt connection tcpmss [minimum] bytes
The [minimum] keyword overrides the maximum segment size negotiated between the two devices to be no less than ‘bytes’. So to solve the problem above, configure the following:
firewall(config)#sysopt connection tcpmss minimum 1460
This will force the two devices to negotiate an MSS value to be no less than 1460, therefore the data sent can go through with no problems.
Solution B (Applied on the specific connection only)
The second workaround solution uses an access-list, a class map and a tcp-map to identify the specific FTP traffic between the client and the server, and allow the MSS to be exceeded only for this specific connection.
The configuration commands are shown below:
pixfirewall(config)#access-list ftp-list permit tcp host 10.0.0.2 host 192.168.9.2
pixfirewall(config-cmap)#match access-list ftp-list
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config)#service-policy ftp-map interface outside
The configuration above will allow the MSS to be exceeded only between the FTP client and FTP server connections.
If you want to learn how to configure and implement any Cisco ASA 5500 v7.x and v8.x Firewall, check out the following excellent Book:
Whats Included in the eBook
|Getting Started with Cisco Firewalls (User Interface, Access Modes)|
|Security Levels (Traffic Flow between Security Levels)|
|Basic Firewall Configuration (Basic Configuration Steps)|
|Configuring Network Address Translation (NAT, PAT, Static NAT, Port Redirection)|
|Using Access Control Lists (ACLs)|
|Controlling Inbound and Outbound Traffic with ACLs|
|ACL Object Groups|
|Configuring VLANs and Subinterfaces|
|IPSEc VPNs (site-to-site VPN, Remote Access VPN, VPN client)|
|Configuring Active/Standby Stateful Failover|