Cisco ASA 5505 Configuration Manual page 826

IP Options Inspection
c.
d.
Click OK.
Step 6
Click Finish.
Step 7
Select IP Options Inspect Map
The Select IP Options Inspect Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map
The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map.
Use this inspection map to control whether the adaptive security appliance drops, passes, or clears IP
packets containing the following IP options—End of Options List, No Operations, and Router Alert.
Fields
•
•
•
Modes
The following table shows the modes in which this feature is available:
Cisco ASA 5500 Series Configuration Guide using ASDM
37-42
From the Parameters area, select which IP options you want to pass through the adaptive security
appliance or clear and then pass through the adaptive security appliance:
– Allow packets with the End of Options List (EOOL) option
This option, which contains just a single zero byte, appears at the end of all options to mark the end
of a list of options. This might not coincide with the end of the header according to the header length.
– Allow packets with the No Operation (NOP) option
The Options field in the IP header can contain zero, one, or more options, which makes the total
length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of
bits of all options is not a multiple of 32 bits, the NOP option is used as "internal padding" to align
the options on a 32-bit boundary.
Allow packets with the Router Alert (RTRALT) option
–
This option notifies transit routers to inspect the contents of the packet even when the packet is not
destined for that router. This inspection is valuable when implementing RSVP and similar protocols
require relatively complex processing from the routers along the packets delivery path.
Clear the option value from the packets
–
When an option is checked, the Clear the option value from the packets check box becomes
available for that option. Select the Clear the option value from the packets check box to clear the
option from the packet before allowing the packet through the adaptive security appliance.
Click OK.
Use the default IP-Options inspection map—Specifies to use the default IP Options map. The default
map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No
Operation (NOP), and Router Alert (RTRALT).
Select an IP-Options map for fine control over inspection—Lets you select a defined application
inspection map or add a new one.
Add—Opens the Add IP Options Inspect Map dialog box for the inspection.
Chapter 37 Configuring Inspection of Basic Internet Protocols
OL-20339-01