7-26
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Inspection of Basic Internet Protocols
IP Options Inspection
Example:
hostname(config)# service-policy global_policy global
The
global
keyword applies the policy map to all interfaces, and
interface
applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
IP Options Inspection
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
The following sections describe the IP Options inspection engine.
•
IP Options Inspection Overview, page 7-26
•
Defaults for IP Options Inspection, page 7-27
•
Configure IP Options Inspection, page 7-27
•
Monitoring IP Options Inspection, page 7-30
IP Options Inspection Overview
Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as
IP Options, provide for control functions that are required in some situations but unnecessary for most
common communications. In particular, IP Options include provisions for time stamps, security, and
special routing. Use of IP Options is optional, and the field can contain zero, one, or more options.
For a list of IP options, with references to the relevant RFCs, see the IANA page,
http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
What Happens When You Clear an Option
When you configure an IP options inspection policy map, you can specify whether you want to allow or
clear each option type. If you do not specify an option type, packets that contain the option are dropped.
If you simply allow an option, packets containing the option are passed through unchanged.
If you specify that you want to clear an option from IP headers, the IP header changes in the following
ways:
•
The option is removed from the header.
•
The Options field is padded so that the field ends on a 32 bit boundary.
•
Internet header length (IHL) in the packet changes.
•
The total length of the packet changes.
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......