Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

Firewall Stateful Inspection of ICMP

Hierarchical Navigation

Downloads

Table Of Contents

Firewall Stateful Inspection of ICMP

Contents

Restrictions for Firewall Stateful Inspection of ICMP

Information About Firewall Stateful Inspection of ICMP

Feature Design of Firewall Stateful Inspection of ICMP

ICMP Inspection Checking

How to Use Firewall Stateful Inspection of ICMP

Configuring Firewall Stateful Inspection for ICMP

Verifying Firewall and ICMP Session Information

Monitoring Firewall and ICMP Session Information

Configuration Examples for Stateful Inspection of ICMP

Firewall Stateful Inspection for ICMP Configuration Example

Checking for ICMP Inspection Example

ICMP Session Verification Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

debug ip inspect

ip inspect name

Glossary


Firewall Stateful Inspection of ICMP

The Firewall Stateful Inspection of ICMP feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages into either a malicious or benign category by allowing the Cisco IOS firewall to use stateful inspection to "trust" ICMP messages that are generated within a private network and to permit the associated ICMP replies. Thus, network administrators can debug network issues by using ICMP without concern that possible intruders may enter the network.

Feature Specifications for the Firewall Stateful Inspection of ICMP feature

Feature History
 
Release
Modification

12.2(11)YU

This feature was introduced.

12.2(15)T

This feature was integrated into Cisco IOS Release 12.2(15)T.

Supported Platforms

For platforms supported in Cisco IOS Release 12.2(11)YU and 12.2(15)T, consult Cisco Feature Navigator.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Restrictions for Firewall Stateful Inspection of ICMP

Information About Firewall Stateful Inspection of ICMP

How to Use Firewall Stateful Inspection of ICMP

Configuration Examples for Stateful Inspection of ICMP

Additional References

Command Reference

Glossary

Restrictions for Firewall Stateful Inspection of ICMP

To enable this feature, your Cisco IOS image must contain the Cisco IOS firewall.

This feature does not work for the User Datagram Protocol (UDP) traceroute, in which UDP datagrams are sent instead of ICMP packets. The UDP traceroute is typically the default for UNIX systems. To use ICMP inspection with a UNIX host, use the "I" option with the traceroute command. This functionality will cause the UNIX host to generate ICMP traceroute packets, which will be inspected by the Cisco IOS firewall ICMP.

Information About Firewall Stateful Inspection of ICMP

The following section provides information about the Cisco IOS Firewall Stateful Inspection of ICMP feature:

Feature Design of Firewall Stateful Inspection of ICMP

ICMP Inspection Checking

Feature Design of Firewall Stateful Inspection of ICMP

ICMP is used to report errors and information about a network. It is a useful tool for network administrators who are trying to debug network connectivity issues. Unfortunately, intruders can also use ICMP to discover the topology of a private network. To guard against a potential intruder, ICMP messages can be blocked from entering a private network; however, a network administrator may then be unable to debug the network. Although a Cisco IOS router can be configured using access lists to selectively allow certain ICMP messages through the router, the network administrator must still guess which messages are potentially malicious and which messages are benign. With the introduction of this feature, a user can now configure a Cisco IOS firewall for stateful inspection to "trust" that the ICMP messages are generated within the private network and to permit the associated ICMP replies.

Note Access lists can still be used to allow unsolicited error messages along with Cisco IOS firewall inspection. Access lists complement Cisco IOS firewall ICMP inspection.

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed. For the Cisco IOS firewall-supported ICMP message request types, see Table 1.

Table 1 ICMP Packet Types Supported by CBAC

ICMP Packet Type
Name
Description

0

Echo Reply

Reply to Echo Request (Type 8)

3

Destination Unreachable

Possible reply to any request

Note This packet is included because it is a possible response to any ICMP packet request.

8

Echo Request

Ping or traceroute request

11

Time Exceeded

Reply to any request if the time to live (TTL) packet is 0

13

Timestamp Request

Request

14

Timestamp Reply

Reply to Timestamp Request (type 13)


Note ICMP packet types 0 and 8 are used for pinging: the source sends out an Echo Request packet, and the destination responds with an Echo Reply packet.

Packet types 0, 8, and 11 are used for ICMP traceroute: Echo Request packets are sent out starting with a TTL packet of 1, and the TTL is incremented for each hop. The intermediate hops respond to the Echo Request packet with a Time Exceeded packet; the final destination responds with an Echo Reply packet.

ICMP Inspection Checking

Return packets are checked by the inspect code, not by ACLs. The inspect code tracks each destination address from outgoing packets and checks each return packet. For ECHO REPLY and TIMESTAMP REPLY packets, the return address is checked. For UNREACHABLE and TIME EXCEEDED packets, the intended destination address is extracted from the packet data and checked.

For more information, see Checking for ICMP Inspection Example.

How to Use Firewall Stateful Inspection of ICMP

This section contains the following procedures:

Configuring Firewall Stateful Inspection for ICMP

Verifying Firewall and ICMP Session Information

Monitoring Firewall and ICMP Session Information

Configuring Firewall Stateful Inspection for ICMP

To enable the Cisco IOS Firewall to start inspection ICMP messages, perform the following steps:

SUMMARY STEPS

1. enable

2. configure terminal

3. ip inspect name inspection-name icmp [alert {on | off}] [audit-trail {on |off}] [timeout seconds]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip inspect name inspection-name icmp [alert {on | off}] [audit-trail {on |off}] [timeout seconds]

Example:

Router(config)# ip inspect name test icmp alert on audit-trail on timeout 30

Turns on inspection for ICMP.

alert—Alert messages are generated. This function is on by default.

audit-trail—Audit trail messages are generated. This function is off by default.

timeout—Overrides the global channel inactivity timeout value. The default value of the seconds argument is 10.


Verifying Firewall and ICMP Session Information

To display active ICMP session and IP access list information, perform the following optional steps:

SUMMARY STEPS

1. enable

2. show ip inspect session [detail]

3. show ip access-list

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show ip inspect session [detail]

Example:

Router# show ip inspect session

(Optional) Displays existing sessions that are currently being tracked and inspected by the Cisco IOS firewall.

The optional detail keyword causes additional details about these sessions to be shown.

Step 3 

show ip access-list

Example: 
Router# show ip access-list

(Optional) Displays the contents of all current IP access lists.

For a sample output example, see the section "Checking for ICMP Inspection Example."


Monitoring Firewall and ICMP Session Information

To monitor debugging messages related to ICMP inspection, perform the following optional steps:

SUMMARY STEPS

1. enable

2. debug ip inspect icmp

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug ip inspect icmp

Example: 
Router# debug ip inspect icmp

(Optional) Displays the operations of the ICMP inspection engine for debugging purposes.

For an example of sample output, see the command debug ip inspect in the Command Reference section.


Configuration Examples for Stateful Inspection of ICMP

This section provides the following configuration examples:

Firewall Stateful Inspection for ICMP Configuration Example

Checking for ICMP Inspection Example

ICMP Session Verification Example

Firewall Stateful Inspection for ICMP Configuration Example

The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced 1 second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.

The following example shows how to configure a firewall for stateful inspection of ICMP packets: 

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname UUT

!

ip subnet-zero

no ip domain lookup

!

ip inspect audit-trail

ip inspect name test icmp alert on audit-trail on timeout 30

!

interface Ethernet0

ip address 192.168.10.2 255.255.255.0

ip inspect test in

!

interface Ethernet1

ip address 192.168.20.2 255.255.255.0

ip access-group 101 in

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.20.3

no ip http server

!

access-list 101 deny ip any any

!

line con 0

exec-timeout 0 0

!

end

Checking for ICMP Inspection Example

In the following example, three destinations were pinged. The example shows that the inspect code tracked each destination address in the inspect session information. 

fw_1751#sh ip insp sess detail

Established Sessions

 Session 813A1808 (192.168.156.5:0)=>(0.0.0.0:0) icmp SIS_OPEN

   Created 00:04:20, Last heard 00:00:00

   Destinations: 3

       Dest addr [192.168.131.3]

       Dest addr [192.168.131.7]

       Dest addr [192.168.131.31]

   Bytes sent (initiator:responder) [8456:5880] acl created 4

   Inbound access-list 102 applied to interface Ethernet0/0

   Inbound access-list 102 applied to interface Ethernet0/0

   Inbound access-list 102 applied to interface Ethernet0/0

   Inbound access-list 102 applied to interface Ethernet0/0

ICMP Session Verification Example

The following example is sample output from the show ip access-list command. In this example, Access Control Lists (ACLs) are created for an ICMP session on which only ping packets were issued from the host. 

Router# show ip access-list 101


Extended IP access list 101

     permit icmp any host 192.168.133.3 time-exceeded

     permit icmp any host 192.168.133.3 unreachable

     permit icmp any host 192.168.133.3 timestamp-reply

     permit icmp any host 192.168.133.3 echo-reply (4 matches)

Additional References

For additional information related to Firewall Stateful Inspection of ICMP, refer to the following references:

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Related Documents

Related Topic
Document Title

CBAC information and configuration tasks

The chapter "Configuring Context-based Access Control" in the Cisco IOS Security Configuration Guide, Release 12.2

Additional CBAC commands

The chapter "Context-based Access Control Commands" in the Cisco IOS Security Command Reference, Release 12.2


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco  MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco  MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

RFCs1
Title

RFC 792

Internet Control Message Protocol

RFC 950

Internet Standard Subnetting Procedure

RFC 1700

Assigned Numbers

1 Not all supported RFCs are listed.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.

debug ip inspect

ip inspect name

debug ip inspect

To display messages about Cisco IOS firewall events, use the debug ip inspect privileged EXEC command. To disable debugging output, use the the no form of this command.

debug ip inspect {function-trace | object-creation | object-deletion | events | timers | protocol | detailed}

no debug ip inspect detailed

Syntax Description

function-trace

Displays messages about software functions called by the Cisco IOS firewall.

object-creation

Displays messages about software objects being created by the Cisco IOS firewall. Object creation corresponds to the beginning of Cisco IOS firewall-inspected sessions.

object-deletion

Displays messages about software objects being deleted by the Cisco IOS firewall. Object deletion corresponds to the closing of Cisco IOS firewall-inspected sessions.

events

Displays messages about Cisco IOS firewall software events, including information about Cisco IOS firewall packet processing.

timers

Displays messages about Cisco IOS firewall timer events such as when the Cisco IOS firewall idle timeout is reached.

protocol

Displays messages about Cisco IOS firewall-inspected protocol events, including details about the packets of the protocol.Table 2 provides a list of protocol keywords.

detailed

Causes detailed information to be displayed for all the other enabled Cisco IOS firewall debugging. Use this form of the command in conjunction with other Cisco IOS firewall debugging commands.


Table 2 Protocol Keywords for the debug ip inspect Command 

Application Protocol
protocol keyword

Transport-layer protocols

ICMP

icmp

TCP

tcp

User Datagram Protocol (UDP)

udp

Application-layer protocols

CU-SeeMe

cuseeme

FTP commands and responses

ftp-cmd

FTP tokens (enables tracing of the FTP tokens parsed)

ftp-tokens

H.323 (version 1 and version 2)

h323

HTTP

http

Microsoft NetShow

netshow

RealAudio

realaudio

remote procedure call (RPC)

rpc

Real Time Streaming Protocol (RTSP)

rtsp

Session Initiation Protocol (SIP)

sip

simple mail transfer protocol (SMTP)

smtp

Structured Query Language*Net (SQL*Net)

sqlnet

StreamWorks

streamworks

TFTP

tftp

UNIX r-commands (rlogin, rexec, rsh)

rcmd

VDOLive

vdolive


Command Modes

Privileged EXEC

Command History

Release
Modification

11.2 P

This command was introduced.

12.0(5)T

NetShow support was added.

12.0(7)T

H.323 V2 and RTSP protocol support were added.

12.2(11)YU

ICMP protocol support was added.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.


Examples

The following is sample output from the debug ip inspect function-trace command: 

*Mar  2 01:16:16: CBAC FUNC: insp_inspection 

*Mar  2 01:16:16: CBAC FUNC: insp_pre_process_sync

*Mar  2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41

*Mar  2 01:16:16: CBAC FUNC: insp_find_pregen_session

*Mar  2 01:16:16: CBAC FUNC: insp_get_idbsb

*Mar  2 01:16:16: CBAC FUNC: insp_get_idbsb

*Mar  2 01:16:16: CBAC FUNC: insp_get_irc_of_idb

*Mar  2 01:16:16: CBAC FUNC: insp_get_idbsb

*Mar  2 01:16:16: CBAC FUNC: insp_create_sis

*Mar  2 01:16:16: CBAC FUNC: insp_inc_halfopen_sis

*Mar  2 01:16:16: CBAC FUNC: insp_link_session_to_hash_table

*Mar  2 01:16:16: CBAC FUNC: insp_inspect_pak 

*Mar  2 01:16:16: CBAC FUNC: insp_l4_inspection 

*Mar  2 01:16:16: CBAC FUNC: insp_process_tcp_seg 

*Mar  2 01:16:16: CBAC FUNC: insp_listen_state 

*Mar  2 01:16:16: CBAC FUNC: insp_ensure_return_traffic

*Mar  2 01:16:16: CBAC FUNC: insp_add_acl_item

*Mar  2 01:16:16: CBAC FUNC: insp_ensure_return_traffic

*Mar  2 01:16:16: CBAC FUNC: insp_add_acl_item

*Mar  2 01:16:16: CBAC FUNC: insp_process_syn_packet

*Mar  2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41

*Mar  2 01:16:16: CBAC FUNC: insp_create_tcp_host_entry

*Mar  2 01:16:16: CBAC* FUNC: insp_fast_inspection

*Mar  2 01:16:16: CBAC* FUNC: insp_inspect_pak 

*Mar  2 01:16:16: CBAC* FUNC: insp_l4_inspection 

*Mar  2 01:16:16: CBAC* FUNC: insp_process_tcp_seg 

*Mar  2 01:16:16: CBAC* FUNC: insp_synrcvd_state 

*Mar  2 01:16:16: CBAC* FUNC: insp_fast_inspection

*Mar  2 01:16:16: CBAC* FUNC: insp_inspect_pak 

*Mar  2 01:16:16: CBAC* FUNC: insp_l4_inspection 

*Mar  2 01:16:16: CBAC* FUNC: insp_process_tcp_seg 

*Mar  2 01:16:16: CBAC* FUNC: insp_synrcvd_state 

*Mar  2 01:16:16: CBAC FUNC: insp_dec_halfopen_sis

*Mar  2 01:16:16: CBAC FUNC: insp_remove_sis_from_host_entry

*Mar  2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41

This output shows the functions called by the Cisco IOS firewall as a session is inspected. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used.

The following is sample output from the debug ip inspect object-creation and debug ip inspect object-deletion command: 

*Mar  2 01:18:30: CBAC OBJ_CREATE: create pre-gen sis 25A3574

*Mar  2 01:18:30: CBAC OBJ_CREATE: create acl wrapper 25A36FC -- acl item 25A3634

*Mar  2 01:18:30: CBAC OBJ_CREATE: create sis 25C1CC4

*Mar  2 01:18:30: CBAC OBJ_DELETE: delete pre-gen sis 25A3574

*Mar  2 01:18:30: CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 bucket 31

*Mar  2 01:18:30: CBAC OBJ_DELETE: delete sis 25C1CC4

*Mar  2 01:18:30: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl item 25A3634

*Mar  2 01:18:31: CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1

The following is sample output from the debug ip inspect object-creation, debug ip inspect object-deletion, and debug ip inspect events commands: 

*Mar  2 01:18:51: CBAC OBJ_CREATE: create pre-gen sis 25A3574

*Mar  2 01:18:51: CBAC OBJ_CREATE: create acl wrapper 25A36FC -- acl item 25A3634

*Mar  2 01:18:51: CBAC Src 10.1.0.1 Port [1:65535]

*Mar  2 01:18:51: CBAC Dst 10.0.0.1 Port [46406:46406]

*Mar  2 01:18:51: CBAC Pre-gen sis 25A3574 created: 10.1.0.1[1:65535] 
30.0.0.1[46406:46406]

*Mar  2 01:18:51: CBAC OBJ_CREATE: create sis 25C1CC4

*Mar  2 01:18:51: CBAC sis 25C1CC4 initiator_addr (10.1.0.1:20) responder_addr 
(30.0.0.1:46406) initiator_alt_addr (40.0.0.1:20) responder_alt_addr (10.0.0.1:46406)

*Mar  2 01:18:51: CBAC OBJ_DELETE: delete pre-gen sis 25A3574

*Mar  2 01:18:51: CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 bucket 31

*Mar  2 01:18:51: CBAC OBJ_DELETE: delete sis 25C1CC4

*Mar  2 01:18:51: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl item 25A3634

*Mar  2 01:18:51: CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1

The following is sample output from the debug ip inspect timers command: 

*Mar  2 01:19:15: CBAC Timer Init Leaf: Pre-gen sis 25A3574

*Mar  2 01:19:15: CBAC Timer Start: Pre-gen sis 25A3574 Timer: 25A35D8 Time: 30000 
milisecs

*Mar  2 01:19:15: CBAC Timer Init Leaf: sis 25C1CC4

*Mar  2 01:19:15: CBAC Timer Stop: Pre-gen sis 25A3574 Timer: 25A35D8

*Mar  2 01:19:15: CBAC Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 30000 milisecs

*Mar  2 01:19:15: CBAC Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 3600000 milisecs

*Mar  2 01:19:15: CBAC Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 5000 milisecs

*Mar  2 01:19:15: CBAC Timer Stop: sis 25C1CC4 Timer: 25C1D5C

The following is sample output from the debug ip inspect tcp command: 

*Mar  2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) 
(10.0.0.1:46409) => (10.1.0.1:21)

*Mar  2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet

*Mar  2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) 
(10.0.0.1:46409) => (10.1.0.1:21)

*Mar  2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet

*Mar  2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247 seq 4223720032(30) 
(10.0.0. 1:46409) <= (10.1.0.1:21)

*Mar  2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet

*Mar  2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack 4223720062 seq 4200176247(15) 
(10.0.0. 1:46409) => (10.1.0.1:21)

*Mar  2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet

*Mar  2 01:20:43: CBAC sis 25C1CC4 pak 2544734 TCP S seq 4226992037(0) (10.1.0.1:20) => 
(10.0.0.1:46411)

*Mar  2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038 seq 4203405054(0) 
(10.1.0.1:20) <= (10.0.0.1:46411)

This sample shows TCP packets being processed and lists the corresponding acknowledge (ACK) packet numbers and sequence (SEQ) numbers. The number of data bytes in the TCP packet is shown in parentheses—for example, (22). For each packet shown, the addresses and port numbers are shown separated by a colon. For example, (10.1.0.1:21) indicates an IP address of 10.1.0.1 and a TCP port number of 21.

Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used.

The following is sample output from the debug ip inspect tcp and debug ip inspect detailed commands: 

*Mar  2 01:20:58: CBAC* Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp

*Mar  2 01:20:58:  P ack 4223720160 seq 4200176262(22)

*Mar  2 01:20:58: CBAC* Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) 
(40.0.0.1:21)

*Mar  2 01:20:58: CBAC* sis 25A3604 SIS_OPEN

*Mar  2 01:20:58: CBAC* Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), 
len 76,proto=6

*Mar  2 01:20:58: CBAC sis 25A3604 Saving State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 
4223720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 
4223720160 r_rcvwnd 8760

*Mar  2 01:20:58: CBAC* sis 25A3604 pak 2541E38 TCP P ack 4223720160 seq 4200176262(22) 
(30.0.0.1:46409) => (40.0.0.1:21)

*Mar  2 01:20:58: CBAC* sis 25A3604 pak 2541E38 SIS_OPEN/ESTAB TCP seq 4200176262(22) 
Flags: ACK 4223720160 PSH

*Mar  2 01:20:58: CBAC* sis 25A3604 pak 2541E38 --> SIS_OPEN/ESTAB iisn 4200176160 
i_rcvnxt 4223720160 i_sndnxt 4200176284 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 
r_sndnxt 4223720160 r_rcvwnd 8760

*Mar  2 01:20:58: CBAC* sis 25A3604 L4 inspect result: PASS packet 2541E38 
(30.0.0.1:46409) (40.0.0.1:21) bytes 22 ftp

*Mar  2 01:20:58: CBAC sis 25A3604 Restoring State: SIS_OPEN/ESTAB iisn 4200176160 
i_rcvnxt 4223

720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 
4223720160 r_rcvwnd 8760

*Mar  2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet

*Mar  2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet

*Mar  2 01:20:58: CBAC* Bump up: inspection requires the packet in the process 
path(30.0.0.1) (40.0.0.1)

*Mar  2 01:20:58: CBAC Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp

*Mar  2 01:20:58:  P ack 4223720160 seq 4200176262(22)

*Mar  2 01:20:58: CBAC Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) 
(40.0.0.1:21)

*Mar  2 01:20:58: CBAC sis 25A3604 SIS_OPEN

*Mar  2 01:20:58: CBAC Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 
76, proto=6

The following is sample output from the debug ip inspect icmp and debug ip inspect detailed commands: 

1w6d:CBAC sis 81073F0C SIS_CLOSED

1w6d:CBAC Pak 80D2E9EC IP:s=192.168.133.3 (Ethernet1), d=0.0.0.0 (Ethernet0), len 98, 
proto=1

1w6d:CBAC ICMP:sis 81073F0C pak 80D2E9EC SIS_CLOSED ICMP packet (192.168.133.3:0) => 
(0.0.0.0:0) datalen 56

1w6d:CBAC ICMP:start session from 192.168.133.3

1w6d:CBAC sis 81073F0C --> SIS_OPENING (192.168.133.3:0) (0.0.0.0:0)

1w6d:CBAC sis 81073F0C L4 inspect result:PASS packet 80D2E9EC (192.168.133.3:0) 
(0.0.0.0:0) bytes 56 icmp

1w6d:CBAC sis 81073F0C SIS_OPENING

1w6d:CBAC Pak 80E72BFC IP:s=0.0.0.0 (Ethernet0), d=192.168.133.3 (Ethernet1), len 98, 
proto=1

1w6d:CBAC ICMP:sis 81073F0C pak 80E72BFC SIS_OPENING ICMP packet (192.168.133.3:0) <= 
(0.0.0.0:0) datalen 56

1w6d:CBAC sis 81073F0C --> SIS_OPEN (192.168.133.3:0) (0.0.0.0:0)

1w6d:CBAC sis 81073F0C L4 inspect result:PASS packet 80E72BFC (0.0.0.0:0) 
(192.168.133.3:0) bytes 56 icmp

1w6d:CBAC* sis 81073F0C SIS_OPEN

1w6d:CBAC* Pak 80D2F2C8 IP:s=192.168.133.3 (Ethernet1), d=0.0.0.0 (Ethernet0), len 98, 
proto=1

1w6d:CBAC* ICMP:sis 81073F0C pak 80D2F2C8 SIS_OPEN ICMP packet (192.168.133.3:0) => 
(0.0.0.0:0) datalen 56

1w6d:CBAC* sis 81073F0C --> SIS_OPEN (192.168.133.3:0) (0.0.0.0:0)

1w6d:CBAC* sis 81073F0C L4 inspect result:PASS packet 80D2F2C8 (192.168.133.3:0) 
(0.0.0.0:0) bytes 56 icmp

1w6d:CBAC* sis 81073F0C SIS_OPEN

1w6d:CBAC* Pak 80E737CC IP:s=0.0.0.0 (Ethernet0), d=192.168.133.3 (Ethernet1), len 98, 
proto=1

1w6d:CBAC* ICMP:sis 81073F0C pak 80E737CC SIS_OPEN ICMP packet (192.168.133.3:0) <= 
(0.0.0.0:0) datalen 56

1w6d:CBAC* sis 81073F0C --> SIS_OPEN (192.168.133.3:0) (0.0.0.0:0)

1w6d:CBAC* sis 81073F0C L4 inspect result:PASS packet 80E737CC (0.0.0.0:0) 
(192.168.133.3:0) bytes 56 icmp

1w6d:CBAC* sis 81073F0C SIS_OPEN

1w6d:CBAC* Pak 80F554F0 IP:s=192.168.133.3 (Ethernet1), d=0.0.0.0 (Ethernet0), len 98, 
proto=1

1w6d:CBAC* ICMP:sis 81073F0C pak 80F554F0 SIS_OPEN ICMP packet (192.168.133.3:0) => 
(0.0.0.0:0) datalen 56

1w6d:CBAC* sis 81073F0C --> SIS_OPEN (192.168.133.3:0) (0.0.0.0:0)

1w6d:CBAC* sis 81073F0C L4 inspect result:PASS packet 80F554F0 (192.168.133.3:0) 
(0.0.0.0:0) bytes 56 icmp

1w6d:CBAC* sis 81073F0C SIS_OPEN

1w6d:CBAC* Pak 80E73AC0 IP:s=0.0.0.0 (Ethernet0), d=192.168.133.3 (Ethernet1), len 98, 
proto=1

1w6d:CBAC* ICMP:sis 81073F0C pak 80E73AC0 SIS_OPEN ICMP packet (192.168.133.3:0) <= 
(0.0.0.0:0) datalen 56

1w6d:CBAC* sis 81073F0C --> SIS_OPEN (192.168.133.3:0) (0.0.0.0:0)

1w6d:CBAC* sis 81073F0C L4 inspect result:PASS packet 80E73AC0 (0.0.0.0:0) 
(192.168.133.3:0) bytes 56 icmp

ip inspect name

To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command.

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}]
[timeout seconds]

no ip inspect name [inspection-name protocol]

Syntax Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16-character limit.

protocol

A protocol keyword listed in Table 3 or Table 4.

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command.

audit-trail {on | off}

(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, an audit trail message are generated on the basis of the setting of the ip inspect audit-trail command.

timeout seconds

(Optional) To override the global TCP or User Datagram Protocol (UDP), or ICMP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global Domain Name System (DNS) timeout.


Table 3 Protocol Keywords—Transport-Layer Protocols 

Protocol
Keyword

Internet Control Message Protocol (ICMP)

icmp

TCP

tcp

User Datagram Protocol (UDP)

udp


Table 4 Protocol Keywords—Application-Layer Protocols 

Protocol
Keyword

CU-SeeMe

cuseeme

FTP

ftp

Java

http

H.323

h323

Microsoft NetShow

netshow

RealAudio

realaudio

remote-procedure call (RPC)

rpc

Session Initiation Protocol (SIP)

sip

simple mail transfer protocol (SMTP)

smtp

Structured Query Language*Net (SQL*Net)

sqlnet

StreamWorks

streamworks

TFTP

tftp

UNIX R commands (rlogin, rexec, rsh)

rcmd

VDOLive

vdolive


Defaults

No inspection rules are defined until you define them using this command.

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.

12.0(5)T

Introduced configurable alert and audit trail, IP fragmentation checking, and NetShow protocol support.

12.2(11)YU

ICMP protocol support was added.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.


Usage Guidelines

To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16-charatcer limit. Define either one or two sets of rules per interface—you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP, UDP, or ICMP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.)

To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols.

In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.

TCP and UDP Inspection

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.

With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic Access Control Lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.

Application-Layer Protocol Inspection

In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state.

Use of the timeout Keyword

If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface to which the set of inspection rules is applied.

If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.

If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.

The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced one second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.

Examples

The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted. 

ip inspect name myrules tcp

ip inspect name myrules udp audit-trail on

ip inspect name myrules cuseeme

ip inspect name myrules ftp timeout 120

ip inspect name myrules rpc program-number 100003

ip inspect name myrules rpc program-number 100005

ip inspect name myrules rpc program-number 100021

The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named "myrules." In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly. 

ip inspect name myrules tcp

ip inspect name myrules udp audit-trail on

ip inspect name myrules cuseeme

ip inspect name myrules ftp timeout 120

ip inspect name myrules rpc program-number 100003

ip inspect name myrules rpc program-number 100005

ip inspect name myrules rpc program-number 100021

ip inspect name myrules fragment max 100 timeout 4

Related Commands

Command
Description

ip inspect

Applies a set of inspection rules to an interface.

ip inspect alert-off

Disables Cisco IOS firewall alert messages.

ip inspect audit trail

Turns on Cisco IOS firewall audit trail messages, which will be displayed on the console after each CBAC session close.


Glossary

ACL—access control list. An ACL is a list kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).

CBAC—Context-Based Access Control. CBAC is the name given to the Cisco IOS Firewall subsystem.

firewall—A firewall is a networking device that controls access to the network assets of your organization. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control.

The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate, depending on your network requirements. Simple firewalls are usually easier to configure and manage. However, you might require the flexibility of a more elaborate firewall.

ICMP—Internet Control Message Protocol. An ICMP is a network layer Internet protocol that reports errors and provides other information relevant to IP packet processing.

RPC—remote-procedure call. A RPC is the technological foundation of client or server computing. RPCs are procedure calls that are built or specified by clients and are executed on servers, with the results returned over the network to the clients.

RTSP—Real Time Streaming Protocol. RTSP enables the controlled delivery of real-time data, such as audio and video. Sources of data can include both live data feeds, such as live audio and video, and stored content, such as prerecorded events. RTSP is designed to work with established protocols, such as RTP and HTTP.

SIP—Session Initiation Protocol. SIP is a protocol developed by the IETF MUSIC Working Group as an alternative to H.323. SIP features are compliant with IETF RFC 2543, published in March 1999. SIP equips platforms to signal the setup of voice and multimedia calls over IP networks.

SMTP—simple mail transfer protocol. SMTP is an Internet protocol providing e-mail services.

UDP—User Datagram Protocol. A UDP is a connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768.

Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.