7-33
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Inspection of Basic Internet Protocols
IPv6 Inspection
Note
If you are editing the default global policy (or any in-use policy) to use a different IPsec Pass
Through inspection policy map, you must remove the IPsec Pass Through inspection with the
no
inspect ipsec-pass-thru
command, and then re-add it with the new IPsec Pass Thruough
inspection policy map name.
Step 5
If you are editing an existing service policy (such as the default global policy called global_policy), you
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy
policymap_name
{
global
|
interface
interface_name
}
Example:
hostname(config)# service-policy global_policy global
The
global
keyword applies the policy map to all interfaces, and
interface
applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
IPv6 Inspection
IPv6 inspection lets you selectively log or drop IPv6 traffic based on the extension header. In addition,
IPv6 inspection can check conformance to RFC 2460 for type and order of extension headers in IPv6
packets.
•
Defaults for IPv6 Inspection, page 7-33
•
Configure IPv6 Inspection, page 7-34
Defaults for IPv6 Inspection
If you enable IPv6 inspection and do not specify an inspection policy map, then the default IPv6
inspection policy map is used, and the following actions are taken:
•
Allows only known IPv6 extension headers. Non-conforming packets are dropped and logged.
•
Enforces the order of IPv6 extension headers as defined in the RFC 2460 specification.
Non-conforming packets are dropped and logged.
•
Drops any packet with a routing type header.
Following is the policy map configuration:
policy-map type inspect ipv6 _default_ipv6_map
description Default IPV6 policy-map
parameters
verify-header type
verify-header order
match header routing-type range 0 255
drop log
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...