Name: Cisco ASA 5506-X
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

13-28

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 13 Inspection of Basic Internet Protocols

IP Options Inspection

Configure an IP Options Inspection Policy Map

If you want to perform non-default IP options inspection, create an IP options inspection policy map to

specify how you want to handle each supported option type.

Procedure

Step 1 Create an IP options inspection policy map:

hostname(config)# policy-map type inspect ip-options policy_map_name

hostname(config-pmap)#

Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration

mode.

Step 2 (Optional) To add a description to the policy map, enter the following command:

hostname(config-pmap)# description string

Step 3 To configure parameters that affect the inspection engine, perform the following steps:

a. To enter parameters configuration mode, enter the following command:

hostname(config-pmap)# parameters

hostname(config-pmap-p)#

b. Set one or more parameters. You can set the following options; use the no form of the command to

disable the option. In all cases, the allow action allows packets that contain the option without

modification; the clear action allows the packets but removes the option from the header. Any packet

that contains an option that you do not include in the map is dropped. For a description of the

options, see Supported IP Options for Inspection, page 13-27.

• eool action {allow | clear}—Allows or clears the End of Options List option.

• nop action {allow | clear}—Allows or clears the No Operation option.

• router-alert action {allow | clear}—Allows or clears the Router Alert (RTRALT) option.

Configure the IP Options Inspection Service Policy

The default ASA configuration includes IP options inspection applied globally on all interfaces. A

common method for customizing the inspection configuration is to customize the default global policy.

You can alternatively create a new service policy as desired, for example, an interface-specific policy.

Procedure

Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.

class-map name

match parameter

Example:

hostname(config)# class-map ip_options_class_map

hostname(config-cmap)# match access-list ipoptions

Other manuals for Cisco ASA 5506-X

Quick Start Guide14 pages

Easy Setup Guide11 pages

Installation Guide46 pages

Software Guide37 pages

Hardware Installation Guide52 pages

Mount And Connect12 pages

Mount The Chassis10 pages

Questions and Answers:

Need help?

Do you have a question about the Cisco ASA 5506-X and is the answer not in the manual?

Cisco ASA 5506-X Specifications

General

Model	ASA 5506-X
Firewall Throughput	750 Mbps
Maximum Firewall Connections	50, 000
Maximum VPN Peers	50
Integrated Ports	8 x 1 GE
Stateful Inspection Throughput	750 Mbps
Weight	4.4 lb (2 kg)
Firewall Throughput (Multiprotocol)	750 Mbps
Firewall Throughput (Application Visibility and Control AVC)	250 Mbps
Concurrent Sessions	50, 000
New Connections per Second	10, 000
IPsec VPN Throughput	100 Mbps
Interfaces	8 x 1 GE
Memory	4 GB
Flash Memory	8 GB
Form Factor	Desktop
VPN Throughput	100 Mbps
Maximum Concurrent Sessions	50, 000
New Sessions per Second	10, 000
Operating Temperature	32 to 104°F (0 to 40°C)
Storage Temperature	-13 to 158°F (-25 to 70°C)
Power Supply	External
Humidity	10% to 90% non-condensing