Supported Ip Options For Inspection; Defaults For Ip Options Inspection; Configure Ip Options Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 13
Inspection of Basic Internet Protocols
•
Supported IP Options for Inspection
IP Options inspection can check for the following IP options in a packet. If an IP header contains
additional options other than these, regardless of whether the ASA is configured to allow these options,
the ASA will drop the packet.
•
•
•
Defaults for IP Options Inspection
IP Options inspection is enabled by default, using the _default_ip_options_map inspection policy map.
•
•
Following is the policy map configuration:
policy-map type inspect ip-options _default_ip_options_map
description Default IP-OPTIONS policy-map
parameters
router-alert action allow
Configure IP Options Inspection
IP options inspection is enabled by default. You need to configure it only if you want to allow additional
options than the default map allows.
Procedure
Configure an IP Options Inspection Policy Map, page
Step 1
Configure the IP Options Inspection Service Policy, page
Step 2
The checksum is recomputed.
End of Options List (EOOL) or IP Option 0—This option, which contains just a single zero byte,
appears at the end of all options to mark the end of a list of options. This might not coincide with
the end of the header according to the header length.
No Operation (NOP) or IP Option 1—The Options field in the IP header can contain zero, one, or
more options, which makes the total length of the field variable. However, the IP header must be a
multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option
is used as "internal padding" to align the options on a 32-bit boundary.
Router Alert (RTRALT) or IP Option 20—This option notifies transit routers to inspect the contents
of the packet even when the packet is not destined for that router. This inspection is valuable when
implementing RSVP and similar protocols that require relatively complex processing from the
routers along the packet's delivery path. Dropping RSVP packets containing the Router Alert option
can cause problems in VoIP implementations.
The Router Alert option is allowed.
Packets that contain any other options are dropped. This includes packets that contain unsupported
options.
13-28.
13-28.
Cisco ASA Series Firewall CLI Configuration Guide
IP Options Inspection
13-27
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
