In a standard Cisco 3600 router, I am able to apply TCP flag filtering to an extended access list:
R1#configure terminal
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#
From here,
R1(config-ext-nacl)#deny tcp any any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
However, this functionality to filter by TCP flag seems non existent in ASA firewalls. Is there a menu I am not seeing? If this is the case, why disallow this feature? It has come in handy more than once.
Best Answer
The ASA doesn't have the same filtering capabilities, unfortunately.