Preventing Ip Spoofing - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Preventing IP Spoofing
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The security appliance combines the command into one line in the running configuration.
Note
To set the timeout for connections, embryonic connections (half-opened), half-closed connections, and
Step 5
dead connection detection, enter the following command:
hostname(config-pmap-c)# set connection timeout {tcp value [reset]] [half-close value ]
[embryonic value ] [dcd [ retry_interval [ max_retries ]]]}
where the half-close and tcp values are a time between 0:5:0 and 1192:59:59, in hh:mm:ss format. The
default for half-close is 0:10:0 and the default for tcp is 1:0:0. You can also set these values to 0, which
means the connection never times out.
The embryonic value is a time between 0:0:5 and 1192:59:59, in hh:mm:ss format. The default is 0:0:30.
You can also set this value to 0, which means the connection never times out.
The dcd retry-interval is a time duration in hh:mm:ss format to wait between each unresponsive DCD
probe. The minimal value is 1 second, and the maximum value is 24 hours. The default value is 15
seconds.
The dcd max-retries is the number of consecutive failed retries before declaring the connection as dead.
The minimum value is 1 and the maximum value is 255, and the default is 5.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The command is combined onto one line in the running configuration.
Note
To activate the policy map on one or more interfaces, enter the following command:
Step 6
hostname(config)# service-policy policymap_name {global | interface interface_name }
where global applies the policy map to all interfaces, and interface applies the policy to one interface.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
Preventing IP Spoofing
This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards
against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring
that all packets have a source IP address that matches the correct source interface according to the
routing table.
Normally, the security appliance only looks at the destination address when determining where to
forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this
is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security
appliance, the security appliance routing table must include a route back to the source address. See
RFC 2267 for more information.
Cisco Security Appliance Command Line Configuration Guide
23-16
For management traffic, you can only set the conn-max and embryonic-conn-max keywords.
This command is not available for management traffic.
Chapter 23
Preventing Network Attacks
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
