Cisco ASA 5506-X Configuration Manual page 174
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
IP Options Inspection
Configure an IP Options Inspection Policy Map
If you want to perform non-default IP options inspection, create an IP options inspection policy map to
specify how you want to handle each supported option type.
Procedure
Create an IP options inspection policy map:
Step 1
hostname(config)# policy-map type inspect ip-options policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2
(Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 3
To configure parameters that affect the inspection engine, perform the following steps:
a.
b.
Configure the IP Options Inspection Service Policy
The default ASA configuration includes IP options inspection applied globally on all interfaces. A
common method for customizing the inspection configuration is to customize the default global policy.
You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map ip_options_class_map
hostname(config-cmap)# match access-list ipoptions
Cisco ASA Series Firewall CLI Configuration Guide
7-28
To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
disable the option. In all cases, the allow action allows packets that contain the option without
modification; the clear action allows the packets but removes the option from the header. Any packet
that contains an option that you do not include in the map is dropped. For a description of the
options, see
Supported IP Options for Inspection, page
•
eool action {allow | clear}—Allows or clears the End of Options List option.
•
nop action {allow | clear}—Allows or clears the No Operation option.
router-alert action {allow | clear}—Allows or clears the Router Alert (RTRALT) option.
•
Chapter 7
Inspection of Basic Internet Protocols
7-27.
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
