Cisco Cisco ASA 5505 Adaptive Security Appliance Manual Técnica
communications. In particular, IP Options includes provisions for time stamps, security, and special routing.
Use of IP Options is optional, and the field can contain zero, one, or more options.
Use of IP Options is optional, and the field can contain zero, one, or more options.
IP Options is a security risk and if an IP packet with the IP Options field enabled is passed through ASA, it
will leak information about the internal setup of a network to the outside. As a result, an attacker can map the
topology of your network. As Cisco ASA is a device that enforces security in the enterprise, by default, it
drops the packets that have the IP Options field enabled. A sample syslog message is shown here, for your
reference:
will leak information about the internal setup of a network to the outside. As a result, an attacker can map the
topology of your network. As Cisco ASA is a device that enforces security in the enterprise, by default, it
drops the packets that have the IP Options field enabled. A sample syslog message is shown here, for your
reference:
106012|10.110.1.34||XX.YY.ZZ.ZZ||Deny IP from 10.110.1.34 to XX.YY.ZZ.ZZ,
IP options: "Router Alert"
However, in specific deployment scenarios where Video traffic has to pass through Cisco ASA, IP packets
with certain IP options has to be passed through otherwise the video conference call may fail. From Cisco
ASA software release version 8.2.2 onwards, a new feature called "Inspection for IP options" has been
introduced. With this feature, you can control which packets with specific IP options are allowed through
Cisco ASA.
with certain IP options has to be passed through otherwise the video conference call may fail. From Cisco
ASA software release version 8.2.2 onwards, a new feature called "Inspection for IP options" has been
introduced. With this feature, you can control which packets with specific IP options are allowed through
Cisco ASA.
By default, this feature is enabled and inspection for the IP Options below are enabled in the global policy.
Configuring this inspection instructs the ASA to allow a packet to pass, or to clear the specified IP options
and then allow the packet to pass.
Configuring this inspection instructs the ASA to allow a packet to pass, or to clear the specified IP options
and then allow the packet to pass.
End of Options List (EOOL) or IP Option 0 − This option appears at the end of all options in order
to mark the end of a list of options.
to mark the end of a list of options.
•
No Operation (NOP) or IP Option 1 − This options field makes the total length of the field variable.
•
Router Alert (RTRALT) or IP Option 20 − This option notifies transit routers to inspect the
contents of the packet even when the packet is not destined for that router.
contents of the packet even when the packet is not destined for that router.
•
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the
commands used in this section.
commands used in this section.
ASDM Configuration
Using the ASDM, you can see how to enable the inspection for the IP packets that have the IP Options field,
NOP.
NOP.
The Options field in the IP header can contain zero, one, or more options, which makes the total length of the
field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not
a multiple of 32 bits, the NOP option is used as "internal padding" in order to align the options on a 32−bit
boundary.
field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not
a multiple of 32 bits, the NOP option is used as "internal padding" in order to align the options on a 32−bit
boundary.
Go to Configuration > Firewall > Objects > Inspect Maps > IP−Options, and click Add.
1.