Cisco ASA 5506-X Configuration Manual page 172
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
IP Options Inspection
Example:
hostname(config)# service-policy global_policy global
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
IP Options Inspection
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
The following sections describe the IP Options inspection engine.
•
•
•
•
IP Options Inspection Overview
Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as
IP Options, provide for control functions that are required in some situations but unnecessary for most
common communications. In particular, IP Options include provisions for time stamps, security, and
special routing. Use of IP Options is optional, and the field can contain zero, one, or more options.
For a list of IP options, with references to the relevant RFCs, see the IANA page,
http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
What Happens When You Clear an Option
When you configure an IP options inspection policy map, you can specify whether you want to allow or
clear each option type. If you do not specify an option type, packets that contain the option are dropped.
If you simply allow an option, packets containing the option are passed through unchanged.
If you specify that you want to clear an option from IP headers, the IP header changes in the following
ways:
•
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
7-26
IP Options Inspection Overview, page 7-26
Defaults for IP Options Inspection, page 7-27
Configure IP Options Inspection, page 7-27
Monitoring IP Options Inspection, page 7-30
The option is removed from the header.
The Options field is padded so that the field ends on a 32 bit boundary.
Internet header length (IHL) in the packet changes.
The total length of the packet changes.
Chapter 7
Inspection of Basic Internet Protocols
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
