7-27
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Inspection of Basic Internet Protocols
IP Options Inspection
•
The checksum is recomputed.
Supported IP Options for Inspection
IP Options inspection can check for the following IP options in a packet. If an IP header contains
additional options other these, regardless of whether the ASA is configured to allow these options, the
ASA will drop the packet.
•
End of Options List (EOOL) or IP Option 0—This option, which contains just a single zero byte,
appears at the end of all options to mark the end of a list of options. This might not coincide with
the end of the header according to the header length.
•
No Operation (NOP) or IP Option 1—The Options field in the IP header can contain zero, one, or
more options, which makes the total length of the field variable. However, the IP header must be a
multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option
is used as “internal padding” to align the options on a 32-bit boundary.
•
Router Alert (RTRALT) or IP Option 20—This option notifies transit routers to inspect the contents
of the packet even when the packet is not destined for that router. This inspection is valuable when
implementing RSVP and similar protocols that require relatively complex processing from the
routers along the packet’s delivery path. Dropping RSVP packets containing the Router Alert option
can cause problems in VoIP implementations.
Defaults for IP Options Inspection
IP Options inspection is enabled by default, using the _default_ip_options_map inspection policy map.
•
The Router Alert option is allowed.
•
Packets that contain any other options are dropped. This includes packets that contain unsupported
options.
Following is the policy map configuration:
policy-map type inspect ip-options _default_ip_options_map
description Default IP-OPTIONS policy-map
parameters
router-alert action allow
Configure IP Options Inspection
IP options inspection is enabled by default. You need to configure it only if you want to allow additional
options than the default map allows.
Procedure
Step 1
Configure an IP Options Inspection Policy Map, page 7-28
Step 2
Configure the IP Options Inspection Service Policy, page 7-28
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...