Cisco Systems ASA 5580 Manual De Usuario
10-25
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
Configuring an IP Options Inspection Policy Map for Additional Inspection
Control
Control
Step 1
To create an IP Options inspection policy map, enter the following command:
ciscoasa(config)# policy-map type inspect ip-options policy_map_name
ciscoasa(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
mode.
Step 2
(Optional) To add a description to the policy map, enter the following command:
ciscoasa(config-pmap)# description string
Step 3
To configure parameters that affect the inspection engine, perform the following steps:
a.
To enter parameters configuration mode, enter the following command:
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)#
b.
To allow or clear packets with the End of Options List (EOOL) option, enter the following
command:
command:
ciscoasa(config-pmap-p)# eool action {allow | clear}
This option, which contains just a single zero byte, appears at the end of all options to mark the end
of a list of options. This might not coincide with the end of the header according to the header length.
of a list of options. This might not coincide with the end of the header according to the header length.
c.
To allow or clear packets with the No Operation (NOP) option, enter the following command:
ciscoasa(config-pmap-p)# nop action {allow | clear}
The Options field in the IP header can contain zero, one, or more options, which makes the total
length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of
bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align
the options on a 32-bit boundary.
length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of
bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align
the options on a 32-bit boundary.
d.
To allowor clear packets with the Router Alert (RTRALT) option, enter the following command:
ciscoasa(config-pmap-p)# router-alert action {allow | clear}
This option notifies transit routers to inspect the contents of the packet even when the packet is not
destined for that router. This inspection is valuable when implementing RSVP and similar protocols
require relatively complex processing from the routers along the packets delivery path.
destined for that router. This inspection is valuable when implementing RSVP and similar protocols
require relatively complex processing from the routers along the packets delivery path.
Note
Enter the clear command to clear the IP option from the packet before allowing the packet
through the ASA.
through the ASA.
IPsec Pass Through Inspection
This section describes the IPsec Pass Through inspection engine. This section includes the following
topics:
topics: