Cisco ASA Series Cli Configuration Manual page 1131

Software version 9.0 for the services module

Hide thumbs Also See for ASA Series:

Configuration manual (429 pages)

Getting started (31 pages)

Mount and connect (12 pages)

Table of Contents

Configuring Inspection of Basic Internet Protocols

Configuring an IP Options Inspection Policy Map for Additional

Inspection Control

To create an IP Options inspection policy map, enter the following command:

hostname(config)# policy-map type inspect ip-options policy_map_name

hostname(config-pmap)#

Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration

(Optional) To add a description to the policy map, enter the following command:

hostname(config-pmap)# description string

To configure parameters that affect the inspection engine, perform the following steps:

IPsec Pass Through Inspection

This section describes the IPsec Pass Through inspection engine. This section includes the following

To enter parameters configuration mode, enter the following command:

hostname(config-pmap)# parameters

hostname(config-pmap-p)#

To allow or clear packets with the End of Options List (EOOL) option, enter the following

hostname(config-pmap-p)# eool action {allow | clear}

This option, which contains just a single zero byte, appears at the end of all options to mark the end

of a list of options. This might not coincide with the end of the header according to the header length.

To allow or clear packets with the No Operation (NOP) option, enter the following command:

hostname(config-pmap-p)# nop action {allow | clear}

The Options field in the IP header can contain zero, one, or more options, which makes the total

length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of

bits of all options is not a multiple of 32 bits, the NOP option is used as "internal padding" to align

the options on a 32-bit boundary.

To allowor clear packets with the Router Alert (RTRALT) option, enter the following command:

hostname(config-pmap-p)# router-alert action {allow | clear}

This option notifies transit routers to inspect the contents of the packet even when the packet is not

destined for that router. This inspection is valuable when implementing RSVP and similar protocols

require relatively complex processing from the routers along the packets delivery path.

Enter the clear command to clear the IP option from the packet before allowing the packet

through the ASA.

IPsec Pass Through Inspection

Cisco ASA Series CLI Configuration Guide

Show Quick Links

Chapters

Table of Contents

Troubleshooting

Cisco ASA Series Cli Configuration Manual page 1131

Hide quick links:

Chapters

Troubleshooting

Related Manuals for Cisco ASA Series

Related Products for Cisco ASA Series

This manual is also suitable for:

Table of Contents