Cisco IOS Security Command Reference, Release 12.3
Security Commands: ip auth-proxy through ip tcp intercept

Table Of Contents

ip auth-proxy (global configuration)

ip auth-proxy (interface configuration)

ip auth-proxy auth-proxy-banner

ip auth-proxy name

ip http ezvpn

ip inspect

ip inspect alert-off

ip inspect audit-trail

ip inspect dns-timeout

ip inspect hashtable

ip inspect max-incomplete high

ip inspect max-incomplete low

ip inspect name

ip inspect one-minute high

ip inspect one-minute low

ip inspect tcp finwait-time

ip inspect tcp idle-time

ip inspect tcp max-incomplete host

ip inspect tcp synwait-time

ip inspect udp idle-time

ip port-map

ip radius source-interface

ip reflexive-list timeout

ip scp server enable

ip security add

ip security aeso

ip security dedicated

ip security eso-info

ip security eso-max

ip security eso-min

ip security extended-allowed

ip security first

ip security ignore-authorities

ip security ignore-cipso

ip security implicit-labelling

ip security multilevel

ip security reserved-allowed

ip security strip

ip ssh

ip ssh port

ip ssh source-interface

ip tacacs source-interface

ip tcp intercept connection-timeout

ip tcp intercept drop-mode

ip tcp intercept finrst-timeout

ip tcp intercept list

ip tcp intercept max-incomplete high

ip tcp intercept max-incomplete low

ip tcp intercept mode

ip tcp intercept one-minute high

ip tcp intercept one-minute low

ip tcp intercept watch-timeout


ip auth-proxy (global configuration)

To set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity), use the ip auth-proxy command in global configuration mode. To set the default value, use the no form of this command.

ip auth-proxy {inactivity-timer min | absolute-timer min}

no ip auth-proxy {inactivity-timer | absolute-timer}

Syntax Description

inactivity-timer min

Specifies the length of time in minutes that an authentication cache entry, along with its associated dynamic user access control list (ACL), is managed after a period of inactivity. Enter a value in the range 1 to 2,147,483,647. The default value is 60 minutes.

Note This option deprecates the auth-cache-time min option.

absolute-timer min

Specifies a window in which the authentication proxy on the enabled interface is active. Enter a value in the range 1 to 65,535 minutes (45 and a half days). The default value is 0 minutes.


Defaults

The default value of the inactivity-timer min option is 60 minutes.

The default value of the absolute-timer min option is 0 minutes.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(1)

The inactivity-timer min and absolute-timer min options were added.


Usage Guidelines

Use this command to set the global idle timeout value for the authentication proxy. You must set the value of the inactivity-timer min option to a higher value than the idle timeout of any Context-Based Access Control (CBAC) protocols. Otherwise, when the authentication proxy removes the user profile along associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile.

The absolute-timer min option allows users to configure a window during which the authentication proxy on the enabled interface is active. Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity. The global absolute timeout value can be overridden by the local (per protocol) value, which is enabled via the ip auth-proxy name command. The absolute timer is turned off by default, and the authentication proxy is enabled indefinitely.

Examples

The following example sets the inactivity timeout to 30 minutes:

ip auth-proxy inactivity-timer 30 

Related Commands

Command
Description

ip auth-proxy name

Creates an authentication proxy rule.

show ip auth-proxy configuration

Displays the authentication proxy entries or the running authentication proxy configuration.


ip auth-proxy (interface configuration)

To apply an authentication proxy rule at a firewall interface, use the ip auth-proxy command in interface configuration mode. To remove the authentication proxy rules, use the no form of this command.

ip auth-proxy auth-proxy-name

no ip auth-proxy auth-proxy-name

Syntax Description

auth-proxy-name

Specifies the name of the authentication proxy rule to apply to the interface configuration. The authentication proxy rule is established with the ip auth-proxy name command.


Defaults

No default behavior or values.

Command Modes

Interface configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured interface.

Use the no form of this command with a rule name to disable the authentication proxy for a given rule on a specific interface. If a rule is not specified, the no form of this command disables the authentication proxy on the interface.

Examples

The following example configures interface Ethernet0 with the HQ_users rule:

interface e0 
 ip address 172.21.127.210 255.255.255.0
 ip access-group 111 in
 ip auth-proxy HQ_users
 ip nat inside

Related Commands

Command
Description

ip auth-proxy name

Creates an authentication proxy rule.


ip auth-proxy auth-proxy-banner

To display a banner, such as the router name, in the authentication proxy login page, use the ip auth-proxy auth-proxy-banner command in global configuration mode. To disable display of the banner, use the no form of this command.

ip auth-proxy auth-proxy-banner {ftp | http | telnet} [banner-text]

no ip auth-proxy auth-proxy-banner {ftp | http | telnet}

Syntax Description

ftp

Specifies the FTP protocol.

http

Specifies the HTTP protocol.

telnet

Specifies the Telnet protocol.

banner-text

(Optional) Specifies a text string to replace the default banner, which is the name of the router. The text string should be written in the following format: "C banner-text C," where "C" is a delimiting character.


Defaults

This command is not enabled, and a banner is not displayed on the authentication proxy login page.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(1)

The following keywords were added: ftp, http, and telnet.


Usage Guidelines

The ip auth-proxy auth-proxy-banner command allows users to configure one of two possible scenarios:

The ip auth-proxy auth-proxy-banner command is enabled.

In this scenario, the administrator has not supplied any text. Thus, a default banner that states the following: "Cisco Systems, <router's hostname> Authentication" will be displayed in the authentication proxy login page. This scenario is most commonly used.

The ip auth-proxy auth-proxy-banner command with the banner-text argument is enabled.

In this scenario, the administrator can supply multiline text that will be converted to HTML by the auth-proxy parser code. Thus, only the multiline text will displayed in the authentication proxy login page. You will not see the default banner, "Cisco Systems, <router's hostname> Authentication."


Note If the ip auth-proxy auth-proxy-banner command is not enabled, there will not be any banner configuration. Thus, nothing will be displayed to the user on authentication proxy login page except a text box to enter the username and a text box to enter the password.


Examples

The following example causes the router name to be displayed in the authentication proxy login page:

ip auth-proxy auth-proxy-banner ftp

The following example shows how to specify the custom banner "whozat" to be displayed in the authentication proxy login page:

ip auth-proxy auth-proxy-banner telnet CwhozatC

Related Commands

Command
Description

ip auth-proxy name

Creates an authentication proxy rule.


ip auth-proxy name

To create an authentication proxy rule, use the ip auth-proxy name command in global configuration mode. To remove the authentication proxy rules, use the no form of this command.

ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-timer min] [absolute-timer min] [list {acl | acl-name}]

no ip auth-proxy name auth-proxy-name

Syntax Description

auth-proxy-name

Associates a name with an authentication proxy rule. Enter a name of up to 16 alphanumeric characters.

ftp

Specifies FTP to trigger the authentication proxy.

http

Specifies HTTP to trigger the authentication proxy.

telnet

Specifies Telnet to trigger the authentication proxy.

inactivity-timer min

(Optional) Overrides the global authentication proxy cache timer for a specific authentication proxy name, offering more control over timeout values. Enter a value in the range 1 to 2,147,483,647. The default value is equal to the value set with the ip auth-proxy command.

Note This option deprecates the auth-cache-time min option.

absolute-timer min

(Optional) Specifies a window in which the authentication proxy on the enabled interface is active. Enter a value in the range 1 to 65,535 minutes (45 and a half days). The default value is 0 minutes.

list {acl | acl-name}

(Optional) Specifies a standard (1-99), extended (1-199), or named IP access list to use with the authentication proxy. With this option, the authentication proxy is applied only to those hosts in the access list. If no list is specified, all connections initiating HTTP, FTP, or Telnet traffic arriving at the interface are subject to authentication.


Defaults

The default value is equal to the value set with the ip auth-proxy auth-cache-time command.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.2

Support for named and extend access lists was introduced.

12.3(1)

The following keywords were introduced:

ftp

telnet

inactivity-timer min

absolute-timer min


Usage Guidelines

This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command.

Use the inactivity-timer min option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted.

Use the list option to associate a set of specific IP addresses or a named ACL with the ip auth-proxy name command.

Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces.


Note You must use the aaa authorization auth-proxy command together with the ip auth-proxy name command. Together these commands set up the authorization policy to be retrieved by the firewall. Refer to the aaa authorization auth-proxy command for more information.


Examples

The following example creates the HQ_users authentication proxy rule. Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.

ip auth-proxy name HQ_users http

The following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10:

access-list 10 192.168.7.0 0.0.0.255 
ip auth-proxy name Mfg_users http list 10

The following example sets the timeout value for Mfg_users to 30 minutes:

access-list 15 any 
ip auth-proxy name Mfg_users http inactivity-timer 30 list 15

The following example disables the Mfg_users rule:

no ip auth-proxy name Mfg_users

The following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration:

no ip auth-proxy

Related Commands

Command
Description

aaa authorization

Sets parameters that restrict network access to a user.

ip auth-proxy (global)

Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity).

ip auth-proxy (interface)

Applies an authentication proxy rule at a firewall interface.

show ip auth-proxy configuration

Displays the authentication proxy entries or the running authentication proxy configuration.


ip http ezvpn

To enable the Cisco Easy VPN Remote web server interface, use the ip http ezvpn command in global configuration mode. To disable the Cisco Easy VPN Remote web interface, use the no form of this command.

ip http ezvpn

no ip http ezvpn

Syntax Description

This command has no arguments or keywords.

Defaults

The Cisco Easy VPN Remote web interface is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)YJ

This command was introduced for the Cisco uBR905 and Cisco uBR925 cable access routers.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.


Usage Guidelines

This command enables the Cisco Easy VPN Remote web server, an onboard web server, that allows you to connect to an IP Security (IPSec) Easy Virtual Private Network (VPN) tunnel and to provide the required authentication information. This connection allows you to perform these functions without having to use the Cisco command-line interface (CLI).

Before using this command, you must first enable the Cisco web server that is onboard the cable access router by entering the ip http server command. Then use the ip http ezvpn command to enable the Cisco Easy VPN Remote web server. You can then access the web server by entering the IP address for the Ethernet interface of the router in your web browser.


Note The Cisco Easy VPN Remote web interface does not work with the Cable Monitor web interface in Cisco IOS Release 12.2(8)YJ. To access the Cable Monitor web interface, you must first disable the Cisco Easy VPN Remote web interface with the no ip http ezvpn command, and then enable the Cable Monitor with the ip http cable-monitor command.


Examples

The following example shows how to enable the Cisco Easy VPN Remote web server interface:

Router# configure terminal 
Router(config)# ip http server 
Router(config)# ip http ezvpn 
Router(config)# exit 
Router# copy running-config startup-config 

Related Commands

Command
Description

ip http cable-monitor

Enables and disables the Cable Monitor web server feature.

ip http port

Configures the TCP port number for the HTTP web server of the router. The default is the well-known web server port of 80.

ip http server

Enables and disables the HTTP web server of the router.


ip inspect

To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. To remove the set of rules from the interface, use the no form of this command.

ip inspect inspection-name {in | out}

no ip inspect inspection-name {in | out}

Syntax Description

inspection-name

Identifies which set of inspection rules to apply.

in

Applies the inspection rules to inbound traffic.

out

Applies the inspection rules to outbound traffic.


Defaults

If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC.

Command Modes

Interface configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

Use this command to apply a set of inspection rules to an interface.

Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.

If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.

If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.

Examples

The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session.

interface serial0
 ip inspect outboundrules out

Related Commands

Command
Description

ip inspect name

Defines a set of inspection rules.


ip inspect alert-off

To disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the ip inspect alert-off command in global configuration mode. To enable CBAC alert messages, use the no form of this command.

ip inspect alert-off

no ip inspect alert-off

Syntax Description

This command has no arguments or keywords.

Defaults

Alert messages are displayed.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Examples

The following example disables CBAC alert messages:

ip inspect alert-off

ip inspect audit-trail

To turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit-trail command in global configuration mode. To turn off CBAC audit trail message, use the no form of this command.

ip inspect audit-trail

no ip inspect audit-trail

Syntax Description

This command has no arguments or keywords.

Defaults

Audit trail messages are not displayed.

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

Use this command to turn on CBAC audit trail messages.

Examples

The following example turns on CBAC audit trail messages:

ip inspect audit-trail

Afterward, audit trail messages such as the following are displayed:

%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- 
responder (192.168.129.11:25) sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- 
responder (192.168.129.11:21) sent 325 bytes

These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address.

ip inspect dns-timeout

To specify the Domain Name System (DNS) idle timeout (the length of time during which a DNS name lookup session will still be managed while there is no activity), use the ip inspect dns-timeout command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command.

ip inspect dns-timeout seconds

no ip inspect dns-timeout

Syntax Description

seconds

Specifies the length of time in seconds, for which a DNS name lookup session will still be managed while there is no activity. The default is 5 seconds.


Defaults

5 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

When the software detects a valid User Datagram Protocol packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session.

If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session.

The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC.

The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command.

Examples

The following example sets the DNS idle timeout to 30 seconds:

ip inspect dns-timeout 30

The following example sets the DNS idle timeout back to the default (5 seconds):

no ip inspect dns-timeout

ip inspect hashtable

To change the size of the session hash table, use the ip inspect hashtable command in global configuration mode. To restore the size of the session hash table to the default, use the no form of this command.

ip inspect hashtable number

no ip inspect hashtable number

Syntax Description

number

Size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192; the default value is 1024.


Defaults

1024 buckets

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance.


Note You should increase the hash table size when the total number of sessions running through the context-based access control (CBAC) router is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table.


Examples

The following example shows how to change the size of the session hash table to 2048 buckets:

ip inspect hashtable 2048

ip inspect max-incomplete high

To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command.

ip inspect max-incomplete high number

no ip inspect max-incomplete high

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions.


Defaults

500 half-open sessions

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Examples

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:

ip inspect max-incomplete high 900
ip inspect max-incomplete low 800

Related Commands

Command
Description

ip inspect max-incomplete low

Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

ip inspect one-minute high

Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute low

Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

ip inspect tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.


ip inspect max-incomplete low

To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command.

ip inspect max-incomplete low number

no ip inspect max-incomplete low

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.


Defaults

400 half-open sessions

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Examples

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:

ip inspect max-incomplete high 900
ip inspect max-incomplete low 800

Related Commands

Command
Description

ip inspect max-incomplete high

Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute high

Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute low

Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

ip inspect tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.


ip inspect name

To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command.

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}]
[
timeout seconds]

no ip inspect name [inspection-name protocol]

HTTP Inspection Syntax

ip inspect name inspection-name http [java-list access-list] [urlfilter] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol

remote-procedure call (RPC) Inspection Syntax

ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol

Fragment Inspection Syntax

ip inspect name inspection-name fragment [max number timeout seconds]

no ip inspect name inspection-name fragment

Syntax Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16-character limit.

protocol

A protocol keyword listed in Table 15 or Table 16.

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command.

audit-trail {on | off}

(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, an audit trail message are generated on the basis of the setting of the ip inspect audit-trail command.

http

Specifies the HTTP protocol for Java applet blocking.

urlfilter

(Optional) Associates URL filtering with HTTP inspection.

timeout seconds

(Optional) To override the global TCP or User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global Domain Name System (DNS) timeout.

java-list access-list

(Optional) Specifies the numbered standard access list to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists.

rpc program-number number

Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.

fragment

Specifies fragment inspection for the named rule.

max number

(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries.

Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

timeout seconds
(fragmentation)

(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second.

If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.


Defaults

No inspection rules are defined until you define them using this command.

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.

12.0(5)T

Introduced configurable alert and audit trail, IP fragmentation checking, and NetShow protocol support.

12.2(11)YU

Support was added for ICMP and SIP protocols and the urlfilter keyword was added to the HTTP inspection syntax.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(1)

Skinny protocol support was added.


Usage Guidelines

To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface—you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP, UDP, or ICMP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.)

To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols.

In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.

TCP and UDP Inspection

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.

With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.

Table 15 Protocol Keywords—Transport-Layer and Network-Layer Protocols 

Protocol
Keyword

ICMP

icmp

TCP

tcp

UDP

udp


Application-Layer Protocol Inspection

In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state.

Java, H.323, RPC, SIP, and SMTP inspection have additional information, described in the next five sections. Table 16 lists the supported application-layer protocols.

Table 16 Protocol Keywords—Application-Layer Protocols 

Protocol
Keyword

CU-SeeMe

cuseeme

FTP

ftp

Java

http

H.323

h323

Microsoft NetShow

netshow

RealAudio

realaudio

remote-procedure call (RPC)

rpc

Session Initiation Protocol (SIP)

sip

Simple Mail Transfer Protocol (SMTP)

smtp

Skinny Client Control Protocol (SCCP)

skinny

StreamWorks

streamworks

Structured Query Language*Net (SQL*Net)

sqlnet

TFTP

tftp

UNIX R commands (rlogin, rexec, rsh)

rcmd

VDOLive

vdolive


Java Inspection

Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as "hostile."


Note Before you configure Java inspection, you must configure a numbered standard access list that defines "friendly" and "hostile" external sites. You configure this numbered standard access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspection-name http command, all Java applets will be blocked.



Note Java blocking forces a strict order on TCP packets. To properly verify that Java applets are not in the response, a firewall will drop any TCP packet that is out of order. Because the network—not the firewall—determines how packets are routed, the firewall cannot control the order of the packets; the firewall can only drop and retransmit all TCP packets that are not in order.



Caution Context-Based Access Control (CBAC) does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.

H.323 Inspection

If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification.

RPC Inspection

RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.

SIP Inspection

You can configure SIP inspection to permit media sessions associated with SIP-signaled calls to traverse the firewall. Because SIP is frequently used to signal both incoming and outgoing calls, it is often necessary to configure SIP inspection in both directions on a firewall (both from the protected internal network and from the external network). Because inspection of traffic from the external network is not done with most protocols, it may be necessary to create an additional inspection rule to cause only SIP inspection to be performed on traffic coming from the external network.

SMTP Inspection

SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out. An illegal command is any command except for the following legal commands:

DATA

EXPN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SEND

SOML

VRFY

Use of the urlfilter Keyword

If you specify the urlfilter keyword, the Cisco IOS firewall will interact with a URL filtering software to control web traffic for a given host or user on the basis of a specified security policy.


Note Enabling HTTP inspection with or without any option triggers the Java applet scanner, which is CPU intensive. The only way to stop the Java applet scanner is to specify the java-list access-list option. Configuring URL filtering without enabling the java-list access-list option will severely impact performance.


Use of the timeout Keyword

If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface to which the set of inspection rules is applied.

If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.

If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.

The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced one second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.

IP Fragmentation Inspection

CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.

Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Non-initial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments are discarded.


Note Fragmentation inspection can have undesirable effects in certain cases, because it can result in the firewall discarding any packet whose fragments arrive out of order. There are many circumstances that can cause out-of-order delivery of legitimate fragments. Apply fragmentation inspection in situations where legitimate fragments, which are likely to arrive out of order, might have a severe performance impact.


Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded.

Examples

The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted.

ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021

The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named "myrules." In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly.

ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021
ip inspect name myrules fragment max 100 timeout 4

The following firewall and SIP example shows how to allow outside-initiated calls and internal calls. For outside-initiated calls, an ACL needs to be punched to allow for the traffic from the initial signaling packet from outside. Subsequent signaling and media channels will be allowed by the inspection module.

ip inspect name voip sip 
interface FastEthernet0/0
 ip inspect voip in
!
!
interface FastEthernet0/1
 ip inspect voip in