Ip Options Inspection; Ip Options Inspection Overview; What Happens When You Clear An Option - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
IP Options Inspection
Example:
hostname(config)# service-policy global_policy global
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
IP Options Inspection
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
The following sections describe the IP Options inspection engine.
•
•
•
•
IP Options Inspection Overview
Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as
IP Options, provide for control functions that are required in some situations but unnecessary for most
common communications. In particular, IP Options include provisions for time stamps, security, and
special routing. Use of IP Options is optional, and the field can contain zero, one, or more options.
For a list of IP options, with references to the relevant RFCs, see the IANA page,
http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
What Happens When You Clear an Option
When you configure an IP options inspection policy map, you can specify whether you want to allow or
clear each option type. If you do not specify an option type, packets that contain the option are dropped.
If you simply allow an option, packets containing the option are passed through unchanged.
If you specify that you want to clear an option from IP headers, the IP header changes in the following
ways:
•
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
13-26
IP Options Inspection Overview, page 13-26
Defaults for IP Options Inspection, page 13-27
Configure IP Options Inspection, page 13-27
Monitoring IP Options Inspection, page 13-30
The option is removed from the header.
The Options field is padded so that the field ends on a 32 bit boundary.
Internet header length (IHL) in the packet changes.
The total length of the packet changes.
Chapter 13
Inspection of Basic Internet Protocols
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
