EasyManua.ls Logo

Cisco ASA 5506W-X

Cisco ASA 5506W-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
13-28
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
IP Options Inspection
Configure an IP Options Inspection Policy Map
If you want to perform non-default IP options inspection, create an IP options inspection policy map to
specify how you want to handle each supported option type.
Procedure
Step 1 Create an IP options inspection policy map:
hostname(config)# policy-map type inspect ip-options policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 3 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b. Set one or more parameters. You can set the following options; use the no form of the command to
disable the option. In all cases, the allow action allows packets that contain the option without
modification; the clear action allows the packets but removes the option from the header. Any packet
that contains an option that you do not include in the map is dropped. For a description of the
options, see Supported IP Options for Inspection, page 13-27.
eool action {allow | clear}—Allows or clears the End of Options List option.
nop action {allow | clear}—Allows or clears the No Operation option.
router-alert action {allow | clear}—Allows or clears the Router Alert (RTRALT) option.
Configure the IP Options Inspection Service Policy
The default ASA configuration includes IP options inspection applied globally on all interfaces. A
common method for customizing the inspection configuration is to customize the default global policy.
You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map ip_options_class_map
hostname(config-cmap)# match access-list ipoptions

Table of Contents

Other manuals for Cisco ASA 5506W-X

Related product manuals