37-41
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 37 Configuring Inspection of Basic Internet Protocols
IP Options Inspection
Note IP Options inspection is included by default in the global inspection policy. Therefore, the adaptive
security appliance allows RSVP traffic that contains packets with the Router Alert option (option 20)
when the adaptive security appliance is in routed mode.
Dropping RSVP packets containing the Router Alert option can cause problems in VoIP
implementations.
When you configure the adaptive security appliance to clear the Router Alert option from IP headers, the
IP header changes in the following ways:
• The Options field is padded so that the field ends on a 32 bit boundary.
• Internet header length (IHL) changes.
• The total length of the packet changes.
• The checksum is recomputed.
If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether
the adaptive security appliance is configured to allow these options, the adaptive security appliance will
drop the packet.
Configuring IP Options Inspection
Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection.
This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service
Policy Rule Wizard - Rule Actions dialog box.
Step 1 Open the Add Service Policy Rule Wizard by selecting Configuration > Firewall > Service Policy
Rules > Add.
Perform the steps to complete the Service Policy, Traffic Classification Criteria, and Traffic Match -
Destination Port pages of the wizard. See the “Adding a Service Policy Rule for Through Traffic” section
on page 29-8.
The Add Service Policy Rule Wizard - Rule Actions dialog box opens.
Step 2 Check the IP-Options check box.
Step 3 Click Configure.
The Select IP Options Inspect Map dialog box opens.
Step 4 Perform one of the following:
• Click the Use the default IP-Options inspection map radio button to use the default IP Options
map. The default map drops packets containing all the inspected IP options, namely End of Options
List (EOOL), No Operation (NOP), and Router Alert (RTRALT).
• Click the Select an IP-Options inspect map for fine control over inspection radio button to select
a defined application inspection map.
• Click Add to open the Add IP-Options Inspect Map dialog box and create a new inspection map.
Step 5 (Optional) If you clicked Add to create a new inspection map, define the following values for IP Options
Inspection:
a. Enter a name for the inspection map.
b. Enter a description for the inspection map, up to 200 characters long.
To Next Page
Loading...
Need help?
General
