Cisco IOS Security Command Reference, Release 12.3
Security Commands: ip auth-proxy through ip tcp intercept

Table Of Contents

ip auth-proxy (global configuration)

ip auth-proxy (interface configuration)

ip auth-proxy auth-proxy-banner

ip auth-proxy name

ip http ezvpn

ip inspect

ip inspect alert-off

ip inspect audit-trail

ip inspect dns-timeout

ip inspect hashtable

ip inspect max-incomplete high

ip inspect max-incomplete low

ip inspect name

ip inspect one-minute high

ip inspect one-minute low

ip inspect tcp finwait-time

ip inspect tcp idle-time

ip inspect tcp max-incomplete host

ip inspect tcp synwait-time

ip inspect udp idle-time

ip port-map

ip radius source-interface

ip reflexive-list timeout

ip scp server enable

ip security add

ip security aeso

ip security dedicated

ip security eso-info

ip security eso-max

ip security eso-min

ip security extended-allowed

ip security first

ip security ignore-authorities

ip security ignore-cipso

ip security implicit-labelling

ip security multilevel

ip security reserved-allowed

ip security strip

ip ssh

ip ssh port

ip ssh source-interface

ip tacacs source-interface

ip tcp intercept connection-timeout

ip tcp intercept drop-mode

ip tcp intercept finrst-timeout

ip tcp intercept list

ip tcp intercept max-incomplete high

ip tcp intercept max-incomplete low

ip tcp intercept mode

ip tcp intercept one-minute high

ip tcp intercept one-minute low

ip tcp intercept watch-timeout


ip auth-proxy (global configuration)

To set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity), use the ip auth-proxy command in global configuration mode. To set the default value, use the no form of this command.

ip auth-proxy {inactivity-timer min | absolute-timer min}

no ip auth-proxy {inactivity-timer | absolute-timer}

Syntax Description

inactivity-timer min

Specifies the length of time in minutes that an authentication cache entry, along with its associated dynamic user access control list (ACL), is managed after a period of inactivity. Enter a value in the range 1 to 2,147,483,647. The default value is 60 minutes.

Note This option deprecates the auth-cache-time min option.

absolute-timer min

Specifies a window in which the authentication proxy on the enabled interface is active. Enter a value in the range 1 to 65,535 minutes (45 and a half days). The default value is 0 minutes.


Defaults

The default value of the inactivity-timer min option is 60 minutes.

The default value of the absolute-timer min option is 0 minutes.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(1)

The inactivity-timer min and absolute-timer min options were added.


Usage Guidelines

Use this command to set the global idle timeout value for the authentication proxy. You must set the value of the inactivity-timer min option to a higher value than the idle timeout of any Context-Based Access Control (CBAC) protocols. Otherwise, when the authentication proxy removes the user profile along associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile.

The absolute-timer min option allows users to configure a window during which the authentication proxy on the enabled interface is active. Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity. The global absolute timeout value can be overridden by the local (per protocol) value, which is enabled via the ip auth-proxy name command. The absolute timer is turned off by default, and the authentication proxy is enabled indefinitely.

Examples

The following example sets the inactivity timeout to 30 minutes:

ip auth-proxy inactivity-timer 30 

Related Commands

Command
Description

ip auth-proxy name

Creates an authentication proxy rule.

show ip auth-proxy configuration

Displays the authentication proxy entries or the running authentication proxy configuration.


ip auth-proxy (interface configuration)

To apply an authentication proxy rule at a firewall interface, use the ip auth-proxy command in interface configuration mode. To remove the authentication proxy rules, use the no form of this command.

ip auth-proxy auth-proxy-name

no ip auth-proxy auth-proxy-name

Syntax Description

auth-proxy-name

Specifies the name of the authentication proxy rule to apply to the interface configuration. The authentication proxy rule is established with the ip auth-proxy name command.


Defaults

No default behavior or values.

Command Modes

Interface configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured interface.

Use the no form of this command with a rule name to disable the authentication proxy for a given rule on a specific interface. If a rule is not specified, the no form of this command disables the authentication proxy on the interface.

Examples

The following example configures interface Ethernet0 with the HQ_users rule:

interface e0 
 ip address 172.21.127.210 255.255.255.0
 ip access-group 111 in
 ip auth-proxy HQ_users
 ip nat inside

Related Commands

Command
Description

ip auth-proxy name

Creates an authentication proxy rule.


ip auth-proxy auth-proxy-banner

To display a banner, such as the router name, in the authentication proxy login page, use the ip auth-proxy auth-proxy-banner command in global configuration mode. To disable display of the banner, use the no form of this command.

ip auth-proxy auth-proxy-banner {ftp | http | telnet} [banner-text]

no ip auth-proxy auth-proxy-banner {ftp | http | telnet}

Syntax Description

ftp

Specifies the FTP protocol.

http

Specifies the HTTP protocol.

telnet

Specifies the Telnet protocol.

banner-text

(Optional) Specifies a text string to replace the default banner, which is the name of the router. The text string should be written in the following format: "C banner-text C," where "C" is a delimiting character.


Defaults

This command is not enabled, and a banner is not displayed on the authentication proxy login page.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(1)

The following keywords were added: ftp, http, and telnet.


Usage Guidelines

The ip auth-proxy auth-proxy-banner command allows users to configure one of two possible scenarios:

The ip auth-proxy auth-proxy-banner command is enabled.

In this scenario, the administrator has not supplied any text. Thus, a default banner that states the following: "Cisco Systems, <router's hostname> Authentication" will be displayed in the authentication proxy login page. This scenario is most commonly used.

The ip auth-proxy auth-proxy-banner command with the banner-text argument is enabled.

In this scenario, the administrator can supply multiline text that will be converted to HTML by the auth-proxy parser code. Thus, only the multiline text will displayed in the authentication proxy login page. You will not see the default banner, "Cisco Systems, <router's hostname> Authentication."


Note If the ip auth-proxy auth-proxy-banner command is not enabled, there will not be any banner configuration. Thus, nothing will be displayed to the user on authentication proxy login page except a text box to enter the username and a text box to enter the password.


Examples

The following example causes the router name to be displayed in the authentication proxy login page:

ip auth-proxy auth-proxy-banner ftp

The following example shows how to specify the custom banner "whozat" to be displayed in the authentication proxy login page:

ip auth-proxy auth-proxy-banner telnet CwhozatC

Related Commands

Command
Description

ip auth-proxy name

Creates an authentication proxy rule.


ip auth-proxy name

To create an authentication proxy rule, use the ip auth-proxy name command in global configuration mode. To remove the authentication proxy rules, use the no form of this command.

ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-timer min] [absolute-timer min] [list {acl | acl-name}]

no ip auth-proxy name auth-proxy-name

Syntax Description

auth-proxy-name

Associates a name with an authentication proxy rule. Enter a name of up to 16 alphanumeric characters.

ftp

Specifies FTP to trigger the authentication proxy.

http

Specifies HTTP to trigger the authentication proxy.

telnet

Specifies Telnet to trigger the authentication proxy.

inactivity-timer min

(Optional) Overrides the global authentication proxy cache timer for a specific authentication proxy name, offering more control over timeout values. Enter a value in the range 1 to 2,147,483,647. The default value is equal to the value set with the ip auth-proxy command.

Note This option deprecates the auth-cache-time min option.

absolute-timer min

(Optional) Specifies a window in which the authentication proxy on the enabled interface is active. Enter a value in the range 1 to 65,535 minutes (45 and a half days). The default value is 0 minutes.

list {acl | acl-name}

(Optional) Specifies a standard (1-99), extended (1-199), or named IP access list to use with the authentication proxy. With this option, the authentication proxy is applied only to those hosts in the access list. If no list is specified, all connections initiating HTTP, FTP, or Telnet traffic arriving at the interface are subject to authentication.


Defaults

The default value is equal to the value set with the ip auth-proxy auth-cache-time command.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.2

Support for named and extend access lists was introduced.

12.3(1)

The following keywords were introduced:

ftp

telnet

inactivity-timer min

absolute-timer min


Usage Guidelines

This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command.

Use the inactivity-timer min option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted.

Use the list option to associate a set of specific IP addresses or a named ACL with the ip auth-proxy name command.

Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces.


Note You must use the aaa authorization auth-proxy command together with the ip auth-proxy name command. Together these commands set up the authorization policy to be retrieved by the firewall. Refer to the aaa authorization auth-proxy command for more information.


Examples

The following example creates the HQ_users authentication proxy rule. Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.

ip auth-proxy name HQ_users http

The following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10:

access-list 10 192.168.7.0 0.0.0.255 
ip auth-proxy name Mfg_users http list 10

The following example sets the timeout value for Mfg_users to 30 minutes:

access-list 15 any 
ip auth-proxy name Mfg_users http inactivity-timer 30 list 15

The following example disables the Mfg_users rule:

no ip auth-proxy name Mfg_users

The following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration:

no ip auth-proxy

Related Commands

Command
Description

aaa authorization

Sets parameters that restrict network access to a user.

ip auth-proxy (global)

Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity).

ip auth-proxy (interface)

Applies an authentication proxy rule at a firewall interface.

show ip auth-proxy configuration

Displays the authentication proxy entries or the running authentication proxy configuration.


ip http ezvpn

To enable the Cisco Easy VPN Remote web server interface, use the ip http ezvpn command in global configuration mode. To disable the Cisco Easy VPN Remote web interface, use the no form of this command.

ip http ezvpn

no ip http ezvpn

Syntax Description

This command has no arguments or keywords.

Defaults

The Cisco Easy VPN Remote web interface is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)YJ

This command was introduced for the Cisco uBR905 and Cisco uBR925 cable access routers.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.


Usage Guidelines

This command enables the Cisco Easy VPN Remote web server, an onboard web server, that allows you to connect to an IP Security (IPSec) Easy Virtual Private Network (VPN) tunnel and to provide the required authentication information. This connection allows you to perform these functions without having to use the Cisco command-line interface (CLI).

Before using this command, you must first enable the Cisco web server that is onboard the cable access router by entering the ip http server command. Then use the ip http ezvpn command to enable the Cisco Easy VPN Remote web server. You can then access the web server by entering the IP address for the Ethernet interface of the router in your web browser.


Note The Cisco Easy VPN Remote web interface does not work with the Cable Monitor web interface in Cisco IOS Release 12.2(8)YJ. To access the Cable Monitor web interface, you must first disable the Cisco Easy VPN Remote web interface with the no ip http ezvpn command, and then enable the Cable Monitor with the ip http cable-monitor command.


Examples

The following example shows how to enable the Cisco Easy VPN Remote web server interface:

Router# configure terminal 
Router(config)# ip http server 
Router(config)# ip http ezvpn 
Router(config)# exit 
Router# copy running-config startup-config 

Related Commands

Command
Description

ip http cable-monitor

Enables and disables the Cable Monitor web server feature.

ip http port

Configures the TCP port number for the HTTP web server of the router. The default is the well-known web server port of 80.

ip http server

Enables and disables the HTTP web server of the router.


ip inspect

To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. To remove the set of rules from the interface, use the no form of this command.

ip inspect inspection-name {in | out}

no ip inspect inspection-name {in | out}

Syntax Description

inspection-name

Identifies which set of inspection rules to apply.

in

Applies the inspection rules to inbound traffic.

out

Applies the inspection rules to outbound traffic.


Defaults

If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC.

Command Modes

Interface configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

Use this command to apply a set of inspection rules to an interface.

Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.

If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.

If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.

Examples

The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session.

interface serial0
 ip inspect outboundrules out

Related Commands

Command
Description

ip inspect name

Defines a set of inspection rules.


ip inspect alert-off

To disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the ip inspect alert-off command in global configuration mode. To enable CBAC alert messages, use the no form of this command.

ip inspect alert-off

no ip inspect alert-off

Syntax Description

This command has no arguments or keywords.

Defaults

Alert messages are displayed.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Examples

The following example disables CBAC alert messages:

ip inspect alert-off

ip inspect audit-trail

To turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit-trail command in global configuration mode. To turn off CBAC audit trail message, use the no form of this command.

ip inspect audit-trail

no ip inspect audit-trail

Syntax Description

This command has no arguments or keywords.

Defaults

Audit trail messages are not displayed.

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

Use this command to turn on CBAC audit trail messages.

Examples

The following example turns on CBAC audit trail messages:

ip inspect audit-trail

Afterward, audit trail messages such as the following are displayed:

%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- 
responder (192.168.129.11:25) sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- 
responder (192.168.129.11:21) sent 325 bytes

These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address.

ip inspect dns-timeout

To specify the Domain Name System (DNS) idle timeout (the length of time during which a DNS name lookup session will still be managed while there is no activity), use the ip inspect dns-timeout command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command.

ip inspect dns-timeout seconds

no ip inspect dns-timeout

Syntax Description

seconds

Specifies the length of time in seconds, for which a DNS name lookup session will still be managed while there is no activity. The default is 5 seconds.


Defaults

5 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

When the software detects a valid User Datagram Protocol packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session.

If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session.

The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC.

The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command.

Examples

The following example sets the DNS idle timeout to 30 seconds:

ip inspect dns-timeout 30

The following example sets the DNS idle timeout back to the default (5 seconds):

no ip inspect dns-timeout

ip inspect hashtable

To change the size of the session hash table, use the ip inspect hashtable command in global configuration mode. To restore the size of the session hash table to the default, use the no form of this command.

ip inspect hashtable number

no ip inspect hashtable number

Syntax Description

number

Size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192; the default value is 1024.


Defaults

1024 buckets

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance.


Note You should increase the hash table size when the total number of sessions running through the context-based access control (CBAC) router is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table.


Examples

The following example shows how to change the size of the session hash table to 2048 buckets:

ip inspect hashtable 2048

ip inspect max-incomplete high

To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command.

ip inspect max-incomplete high number

no ip inspect max-incomplete high

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions.


Defaults

500 half-open sessions

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Examples

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:

ip inspect max-incomplete high 900
ip inspect max-incomplete low 800

Related Commands

Command
Description

ip inspect max-incomplete low

Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

ip inspect one-minute high

Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute low

Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

ip inspect tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.


ip inspect max-incomplete low

To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command.

ip inspect max-incomplete low number

no ip inspect max-incomplete low

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.


Defaults

400 half-open sessions

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Examples

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:

ip inspect max-incomplete high 900
ip inspect max-incomplete low 800

Related Commands

Command
Description

ip inspect max-incomplete high

Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute high

Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute low

Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

ip inspect tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.


ip inspect name

To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command.

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}]
[
timeout seconds]

no ip inspect name [inspection-name protocol]

HTTP Inspection Syntax

ip inspect name inspection-name http [java-list access-list] [urlfilter] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol

remote-procedure call (RPC) Inspection Syntax

ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol

Fragment Inspection Syntax

ip inspect name inspection-name fragment [max number timeout seconds]

no ip inspect name inspection-name fragment

Syntax Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16-character limit.

protocol

A protocol keyword listed in Table 15 or Table 16.

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command.

audit-trail {on | off}

(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, an audit trail message are generated on the basis of the setting of the ip inspect audit-trail command.

http

Specifies the HTTP protocol for Java applet blocking.

urlfilter

(Optional) Associates URL filtering with HTTP inspection.

timeout seconds

(Optional) To override the global TCP or User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global Domain Name System (DNS) timeout.

java-list access-list

(Optional) Specifies the numbered standard access list to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists.

rpc program-number number

Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.

fragment

Specifies fragment inspection for the named rule.

max number

(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries.

Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

timeout seconds
(fragmentation)

(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second.

If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.


Defaults

No inspection rules are defined until you define them using this command.

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.

12.0(5)T

Introduced configurable alert and audit trail, IP fragmentation checking, and NetShow protocol support.

12.2(11)YU

Support was added for ICMP and SIP protocols and the urlfilter keyword was added to the HTTP inspection syntax.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(1)

Skinny protocol support was added.


Usage Guidelines

To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface—you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP, UDP, or ICMP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.)

To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols.

In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.

TCP and UDP Inspection

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.

With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.

Table 15 Protocol Keywords—Transport-Layer and Network-Layer Protocols 

Protocol
Keyword

ICMP

icmp

TCP

tcp

UDP

udp


Application-Layer Protocol Inspection

In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state.

Java, H.323, RPC, SIP, and SMTP inspection have additional information, described in the next five sections. Table 16 lists the supported application-layer protocols.

Table 16 Protocol Keywords—Application-Layer Protocols 

Protocol
Keyword

CU-SeeMe

cuseeme

FTP

ftp

Java

http

H.323

h323

Microsoft NetShow

netshow

RealAudio

realaudio

remote-procedure call (RPC)

rpc

Session Initiation Protocol (SIP)

sip

Simple Mail Transfer Protocol (SMTP)

smtp

Skinny Client Control Protocol (SCCP)

skinny

StreamWorks

streamworks

Structured Query Language*Net (SQL*Net)

sqlnet

TFTP

tftp

UNIX R commands (rlogin, rexec, rsh)

rcmd

VDOLive

vdolive


Java Inspection

Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as "hostile."


Note Before you configure Java inspection, you must configure a numbered standard access list that defines "friendly" and "hostile" external sites. You configure this numbered standard access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspection-name http command, all Java applets will be blocked.



Note Java blocking forces a strict order on TCP packets. To properly verify that Java applets are not in the response, a firewall will drop any TCP packet that is out of order. Because the network—not the firewall—determines how packets are routed, the firewall cannot control the order of the packets; the firewall can only drop and retransmit all TCP packets that are not in order.



Caution Context-Based Access Control (CBAC) does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.

H.323 Inspection

If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification.

RPC Inspection

RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.

SIP Inspection

You can configure SIP inspection to permit media sessions associated with SIP-signaled calls to traverse the firewall. Because SIP is frequently used to signal both incoming and outgoing calls, it is often necessary to configure SIP inspection in both directions on a firewall (both from the protected internal network and from the external network). Because inspection of traffic from the external network is not done with most protocols, it may be necessary to create an additional inspection rule to cause only SIP inspection to be performed on traffic coming from the external network.

SMTP Inspection

SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out. An illegal command is any command except for the following legal commands:

DATA

EXPN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SEND

SOML

VRFY

Use of the urlfilter Keyword

If you specify the urlfilter keyword, the Cisco IOS firewall will interact with a URL filtering software to control web traffic for a given host or user on the basis of a specified security policy.


Note Enabling HTTP inspection with or without any option triggers the Java applet scanner, which is CPU intensive. The only way to stop the Java applet scanner is to specify the java-list access-list option. Configuring URL filtering without enabling the java-list access-list option will severely impact performance.


Use of the timeout Keyword

If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface to which the set of inspection rules is applied.

If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.

If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.

The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced one second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.

IP Fragmentation Inspection

CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.

Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Non-initial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments are discarded.


Note Fragmentation inspection can have undesirable effects in certain cases, because it can result in the firewall discarding any packet whose fragments arrive out of order. There are many circumstances that can cause out-of-order delivery of legitimate fragments. Apply fragmentation inspection in situations where legitimate fragments, which are likely to arrive out of order, might have a severe performance impact.


Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded.

Examples

The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted.

ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021

The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named "myrules." In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly.

ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021
ip inspect name myrules fragment max 100 timeout 4

The following firewall and SIP example shows how to allow outside-initiated calls and internal calls. For outside-initiated calls, an ACL needs to be punched to allow for the traffic from the initial signaling packet from outside. Subsequent signaling and media channels will be allowed by the inspection module.

ip inspect name voip sip 
interface FastEthernet0/0
 ip inspect voip in
!
!
interface FastEthernet0/1
 ip inspect voip in
 ip access-group 100 in
!
!
access-list 100 permit udp host <gw ip> any eq 5060
access-list 100 permit udp host <proxy ip> any eq 5060
access-list deny ip any any

The following example shows two configured inspections named "fw_only" and "fw_urlf"; URL filtering will work only on the traffic that is inspected by fw_urlf. Note that the java-list access-list option has been enabled, which disables java scanning.

ip inspect name fw_only http java-list 51 timeout 30
interface e0
 ip inspect fw_only in
!
ip inspect name fw_urlf  http urlfilter java-list 51 timeout 30
interface e1
 ip inspect fw_urlf in

Related Commands

Command
Description

ip inspect

Applies a set of inspection rules to an interface.

ip inspect alert-off

Disables CBAC alert messages.

ip inspect audit trail

Turns on CBAC audit trail messages, which will be displayed on the console after each CBAC session close.


ip inspect one-minute high

To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command.

ip inspect one-minute high number

no ip inspect one-minute high

Syntax Description

number

Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions.


Defaults

500 half-open sessions

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.

When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Examples

The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:

ip inspect one-minute high 1000
ip inspect one-minute low 950

Related Commands

Command
Description

ip inspect one-minute low

Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

ip inspect max-incomplete high

Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

ip inspect max-incomplete low

Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

ip inspect tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.


ip inspect one-minute low

To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command.

ip inspect one-minute low number

no ip inspect one-minute low

Syntax Description

number

Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.


Defaults

400 half-open sessions

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.

When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.)

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Examples

The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:

ip inspect one-minute high 1000
ip inspect one-minute low 950

Related Commands

Command
Description

ip inspect max-incomplete high

Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

ip inspect max-incomplete low

Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

ip inspect one-minute high

Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions.

ip inspect tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.


ip inspect tcp finwait-time

To define how long a TCP session will still be managed after the firewall detects a FIN-exchange, use the ip inspect tcp finwait-time command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command.

ip inspect tcp finwait-time seconds

no ip inspect tcp finwait-time

Syntax Description

seconds

Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange. The default is 5 seconds.


Defaults

5 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.

Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close.

The global value specified for this timeout applies to all TCP sessions inspected by CBAC.

The timeout set with this command is referred to as the "finwait" timeout.


Note If the -n option is used with rsh, and the commands being executed do not produce output before the "finwait" timeout, the session will be dropped and no further output will be seen.


Examples

The following example changes the "finwait" timeout to 10 seconds:

ip inspect tcp finwait-time 10

The following example changes the "finwait" timeout back to the default (5 seconds):

no ip inspect tcp finwait-time

ip inspect tcp idle-time

To specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity), use the ip inspect tcp idle-time command in global configuration mode. To reset the timeout to the default of 3600 seconds (1 hour), use the no form of this command.

ip inspect tcp idle-time seconds

no ip inspect tcp idle-time

Syntax Description

seconds

Specifies the length of time, in seconds, for which a TCP session will still be managed while there is no activity. The default is 3600 seconds (1 hour).


Defaults

3600 seconds (1 hour)

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.

If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session.

The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the
ip inspect name (global configuration) command.


Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the TCP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value.


Examples

The following example sets the global TCP idle timeout to 1800 seconds (30 minutes):

ip inspect tcp idle-time 1800

The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour):

no ip inspect tcp idle-time

ip inspect tcp max-incomplete host

To specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention, use the ip inspect tcp max-incomplete host command in global configuration mode. To reset the threshold and blocking time to the default values, use the no form of this command.

ip inspect tcp max-incomplete host number block-time minutes

no ip inspect tcp max-incomplete host

Syntax Description

number

Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. The default is 50 half-open sessions.

block-time

Specifies blocking of connection initiation to a host.

minutes

Specifies how long the software will continue to delete new connection requests to the host. The default is 0 minutes.


Defaults

50 half-open sessions and 0 minutes

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state.

Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:

If the block-time minutes timeout is 0 (the default):

The software will delete the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

If the block-time minutes timeout is greater than 0:

The software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

The software also sends syslog messages whenever the max-incomplete host number is exceeded and when blocking of connection initiations to a host starts or ends.

The global values specified for the threshold and blocking time apply to all TCP connections inspected by Context-based Access Control (CBAC).

Examples

The following example changes the max-incomplete host number to 40 half-open sessions, and changes the block-time timeout to 2 minutes:

ip inspect tcp max-incomplete host 40 block-time 20

The following example resets the defaults (50 half-open sessions and 0 minutes):

no ip inspect tcp max-incomplete host

Related Commands

Command
Description

ip inspect max-incomplete high

Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

ip inspect max-incomplete low

Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

ip inspect one-minute high

Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute low

Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.


ip inspect tcp synwait-time

To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time command in global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command.

ip inspect tcp synwait-time seconds

no ip inspect tcp synwait-time

Syntax Description

seconds

Specifies how long, in seconds, the software will wait for a TCP session to reach the established state before dropping the session. The default is 30 seconds.


Defaults

30 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

Use this command to define how long Cisco IOS software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session's first SYN bit is detected.

The global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control (CBAC).

Examples

The following example changes the "synwait" timeout to 20 seconds:

ip inspect tcp synwait-time 20

The following example changes the "synwait" timeout back to the default (30 seconds):

no ip inspect tcp synwait-time

ip inspect udp idle-time

To specify the User Datagram Protocol idle timeout (the length of time for which a UDP "session" will still be managed while there is no activity), use the ip inspect udp idle-time command in global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command.

ip inspect udp idle-time seconds

no ip inspect udp idle-time

Syntax Description

seconds

Specifies the length of time a UDP "session" will still be managed while there is no activity. The default is 30 seconds.


Defaults

30 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.


Usage Guidelines

When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.

If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the
ip inspect name command.


Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the UDP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value.


Examples

The following example sets the global UDP idle timeout to 120 seconds (2 minutes):

ip inspect udp idle-time 120

The following example sets the global UDP idle timeout back to the default of 30 seconds:

no ip inspect udp idle-time

ip port-map

To establish port to application mapping (PAM), use the ip port-map command in global configuration mode. To delete user-defined PAM entries, use the no form of this command.

ip port-map appl-name port port-num [list acl-num]

no ip port-map appl-name port port-num [list acl-num]

Syntax Description

appl-name

Specifies the name of the application with which to apply the port mapping.

port

Indicates that a port number maps to the application.

port-num

Identifies a port number in the range 1 to 65535.

list

(Optional) Indicates that the port mapping information applies to a specific host or subnet.

acl-num

(Optional) Identifies the standard access control list (ACL) number used with PAM.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(1)

Skinny Client Control protocol (SCCP) support was added.


Usage Guidelines

The ip port-map command associates TCP or User Datagram Protocol (UDP) port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application.

The port mapping information in the PAM table is of one of three types:

System-defined

User-defined

Host-specific

System-Defined Port Mapping

Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system start-up. The Cisco IOS Firewall Context-Based Access Control feature requires the system-defined mapping information to function properly. System-defined mapping information cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP).

Table 17 lists the default system-defined services and applications in the PAM table.

Table 17 System-Defined Port Mapping

Application Name
Well-Known or Registered Port Number
Protocol Description

cuseeme

7648

CU-SeeMe Protocol

exec

512

Remote Process Execution

ftp

21

File Transfer Protocol (control port)

h323

1720

H.323 Protocol (for example, MS NetMeeting, Intel Video Phone)

http

80

Hypertext Transfer Protocol

login

513

Remote login

msrpc

135

Microsoft Remote Procedure Call

netshow

1755

Microsoft NetShow

real-audio-video

7070

RealAudio and RealVideo

sccp

2000

Skinny Client Control Protocol (SCCP)

smtp

25

Simple Mail Transfer Protocol (SMTP)

sql-net

1521

SQL-NET

streamworks

1558

StreamWorks Protocol

sunrpc

111

SUN Remote Procedure Call

tftp

69

Trivial File Transfer Protocol

vdolive

7000

VDOLive Protocol



Note You can override the system-defined entries for a specific host or subnet using the list option in the ip port-map command.


User-Defined Port Mapping

Network applications that use non-standard ports require user-defined entries in the mapping table. Use the ip port-map command to create default user-defined entries in the PAM table.

To map a range of port numbers with a service or application, you must create a separate entry for each port number.


Note If you try to map an application to a system-defined port, a message appears warning you of a mapping conflict.


Use the no form of the ip port-map command to delete user-defined entries from the PAM table.

To overwrite an existing user-defined port mapping, use the ip port-map command to associate another service or application with the specific port.

Host-Specific Port Mapping

User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.


Note If the host-specific port mapping information is the same as existing system-defined or user-defined default entries, host-specific port changes have no effect.


Examples

The following example provides examples for adding and removing user-defined PAM configuration entries at the firewall.

In the following example, non-standard port 8000 is established as the user-defined default port for HTTP services:

ip port-map http port 8000

The following example shows PAM entries establish a range of nonstandard ports for HTTP services:

ip port-map http 8001
ip port-map http 8002
ip port-map http 8003
ip port-map http 8004

In the following example the command fails because it tries to map port 21, which is the system-defined default port for FTP, with HTTP:

ip port-map http port 21

In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services:

access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10

In the following example, port 21, which is normally reserved for FTP services, is mapped to the RealAudio application for the hosts in list 10. In this configuration, hosts in list 10 do not recognize FTP activity on port 21.

ip port-map realaudio port 21 list 10 

In the following example, the ip port-map command fails and generates an error message:

ip port-map netshow port 21
Command fail: the port 21 has already been defined for ftp by the system.
              No change can be made to the system defined port mappings.

The no form of this command deletes user-defined entries from the PAM table. It has no effect on the system-defined port mappings. This command deletes the host-specific port mapping of FTP.

no ip port-map ftp port 1022 list 10

In the following example, the command fails because it tries to delete the system-defined default port for HTTP:

no ip port-map http port 80

In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services.

access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10

In the following example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while the PAM entry maps port 8080 with HTTP services.

access-list 50 permit 192.168.92.0
ip port-map http 8080 list 50

In the following example, a specific host runs HTTP services on port 25, which is the system-defined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.43), while port 25 is mapped with HTTP services.

access-list 15 permit 192.168.33.43
ip port-map http port 25 list 15

In the following example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services by host 192.168.3.4, while port 8000 is required for Telnet services by host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while PAM maps the ports with the services for each ACL.

access-list 10 permit 192.168.3.4
access-list 20 permit 192.168.5.6
ip port-map http port 8000 list 10
ip port-map http ftp 8000 list 20

Related Commands

Command
Description

show ip port-map

Displays the PAM information.


ip radius source-interface

To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.

ip radius source-interface subinterface-name [vrf vrf-name]

no ip radius source-interface

Syntax Description

subinterface-name

Name of the interface that RADIUS uses for all of its outgoing packets.

vrf vrf-name

(Optional) Per Virtual Route Forwarding (VRF) configuration.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

Use this command to set the IP address of a subinterface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.

This command is especially useful in cases where the router has many subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.

The specified subinterface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the subinterface to the up state.

Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.

Examples

The following example shows how to configure RADIUS to use the IP address of subinterface s2 for all outgoing RADIUS packets:

ip radius source-interface s2

The following example shows how to configure RADIUS to use the IP address of subinterface Ethernet0 for VRF definition:

ip radius source-interface Ethernet 0 vrf water

Related Commands

Command
Description

ip tacacs source-interface

Uses the IP address of a specified interface for all outgoing TACACS packets.

ip telnet source-interface

Allows a user to select an address of an interface as the source address for Telnet connections.

ip tftp source-interface

Allows a user to select the interface whose address will be used as the source address for TFTP connections.


ip reflexive-list timeout

To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout command in global configuration mode. To reset the timeout period to the default timeout, use the no form of this command.

ip reflexive-list timeout seconds

no ip reflexive-list timeout

Syntax Description

seconds

Specifies the number of seconds to wait (when no session traffic is being detected) before temporary access list entries expire. Use a positive integer from 0 to 2,147,483. The default is 300 seconds.


Defaults

300 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.


Usage Guidelines

This command is used with reflexive filtering, a form of session filtering.

This command specifies when a reflexive access list entry will be removed after a period of no traffic for the session (the timeout period).

With reflexive filtering, when an IP upper-layer session begins from within your network, a temporary entry is created within the reflexive access list, and a timer is set. Whenever a packet belonging to this session is forwarded (inbound or outbound) the timer is reset. When this timer counts down to zero without being reset, the temporary reflexive access list entry is removed.

The timer is set to the timeout period. Individual timeout periods can be defined for specific reflexive access lists, but for reflexive access lists that do not have individually defined timeout periods, the global timeout period is used. The global timeout value is 300 seconds by default; however, you can change the global timeout to a different value at any time using this command.

This command does not take effect for reflexive access list entries that were already created when the command is entered; this command only changes the timeout period for entries created after the command is entered.

Examples

The following example sets the global timeout period for reflexive access list entries to 120 seconds:

ip reflexive-list timeout 120

The following example returns the global timeout period to the default of 300 seconds:

no ip reflexive-list timeout

Related Commands

Command
Description

evaluate

Nests a reflexive access list within an access list.

ip access-list

Defines an IP access list by name.

permit (reflexive)

Creates a reflexive access list and enables its temporary entries to be automatically generated.


ip scp server enable

To enable secure copy (SCP) server-side functionality, use the ip scp server enable command in global configuration mode. To disable this functionality, use the no form of this command.

ip scp server enable

no ip scp server enable

Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)S

This command was integrated into Cisco IOS Release 12.0(21)S and implemented on the following platforms: Cisco 7500 series and Cisco 12000 series.


Usage Guidelines

Use the ip scp server enable command to enable a Cisco router to support SCP server-side functionality, which allows an authenticated user to securely copy configuration and image files to or from a remote workstation.

Before a user can utilize the SCP server-side functionality, Secure Shell (SSH), authentication, and authorization must be properly configured so that a router can determine whether a user is at the correct privilege level.

Examples

The following example shows how to transfer a file from the router using SCP:

Router# copy flash:c3620-ik9s-mz.122-0.17.T scp://tiger@10.1.1.2/ 
Address or name of remote host [10.1.1.2]? 
Destination username [tiger]? 
Destination filename [c3620-ik9s-mz.122-0.17.T]? 
Writing c3620-ik9s-mz.122-0.17.T 
Password: 

Router#

Note When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted.


Related Commands

Command
Description

aaa authentication login

Sets AAA authentication at login.

aaa authorization

Sets parameters that restrict user access to a network.

copy

Copies any file from a source to a destination.

username

Establishes a username-based authentication system.


ip security add

To add a basic security option to all outgoing packets, use the ip security add command in interface configuration mode. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.

ip security add

no ip security add

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same or will fall within the range of the interface.

Examples

The following example adds a basic security option to each packet leaving Ethernet interface 0:

interface ethernet 0
 ip security add

Related Commands

Command
Description

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security aeso

To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso command in interface configuration mode. To disable AESO on an interface, use the no form of this command.

ip security aeso source compartment-bits

no ip security aeso source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This can be an integer from 0 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.

Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.

Configuring any per-interface extended IP Security Option (IPSO) information automatically enables ip security extended-allowed (disabled by default).

Examples

The following example defines the Extended Security Option source as 5 and sets the compartments bits to 5:

interface ethernet 0
 ip security aeso 5 5 

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-max

Specifies the maximum sensitivity level for an interface.

ip security eso-min

Configures the minimum sensitivity level for an interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.


ip security dedicated

To set the level of classification and authority on the interface, use the ip security dedicated command in interface configuration mode. To reset the interface to the default classification and authorities, use the no form of this command.

ip security dedicated level authority [authority...]

no ip security dedicated level authority [authority...]

Syntax Description

level

Degree of sensitivity of information. The level keywords are listed in Table 18.

authority

Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 19.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.

The following definitions apply to the descriptions of the IP Security Option (IPSO) in this section:

level—The degree of sensitivity of information. For example, data marked TOPSECRET is more sensitive than data marked SECRET. The level keywords and their corresponding bit patterns are shown in Table 18.

Table 18 IPSO Level Keywords and Bit Patterns 

Level Keyword
Bit Pattern

Reserved4

0000 0001

TopSecret

0011 1101

Secret

0101 1010

Confidential

1001 0110

Reserved3

0110 0110

Reserved2

1100 1100

Unclassified

1010 1011

Reserved1

1111 0001


authority—An organization that defines the set of security levels that will be used in a network. For example, the Genser authority consists of level names defined by the U.S. Defense Communications Agency (DCA). The authority keywords and their corresponding bit patterns are shown in Table 19.

Table 19 IPSO Authority Keywords and Bit Patterns 

Authority Keyword
Bit Pattern

Genser

1000 0000

Siop-Esi

0100 0000

DIA

0010 0000

NSA

0001 0000

DOE

0000 1000


label—A combination of a security level and an authority or authorities.

Examples

The following example sets a confidential level with Genser authority:

ip security dedicated confidential Genser

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security eso-info

To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info command in global configuration mode. To return to the default settings, use the no form of this command.

ip security eso-info source compartment-size default-bit

no ip security eso-info source compartment-size default-bit

Syntax Description

source

Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255.

compartment-size

Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16.

default-bit

Default bit value for any unsent compartment bits.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment information is padded to the size specified by the compartment-size argument.

Examples

The following example sets system-wide defaults for source, compartment size, and the default bit value:

ip security eso-info 100 5 1 

Related Commands

Command
Description

ip security eso-max

Specifies the maximum sensitivity level for an interface.

ip security eso-min

Configures the minimum sensitivity level for an interface.


ip security eso-max

To specify the maximum sensitivity level for an interface, use the ip security eso-max command in interface configuration mode. To return to the default, use the no form of this command.

ip security eso-max source compartment-bits

no ip security eso-max source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This is an integer from 1 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The command is used to specify the maximum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network-Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.

On every incoming packet on the interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.

On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.

When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.

A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.

Examples

In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:

interface ethernet 0
 ip security eso-max 240 500

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-min

Configures the minimum sensitivity level for an interface.


ip security eso-min

To configure the minimum sensitivity for an interface, use the ip security eso-min command in interface configuration mode. To return to the default, use the no form of this command.

ip security eso-min source compartment-bits

no ip security eso-min source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This is an integer from 1 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.

On every incoming packet on this interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.

On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.

When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.

A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.

Examples

In the following example, the specified ESO source is 5, and the compartment bits are specified as 5:

interface ethernet 0
 ip security eso-min 5 5

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-max

Specifies the maximum sensitivity level for an interface.


ip security extended-allowed

To accept packets on an interface that has an extended security option present, use the ip security extended-allowed command in interface configuration mode. To restore the default, use the no form of this command.

ip security extended-allowed

no ip security extended-allowed

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Packets containing extended security options are rejected.

Examples

The following example allows interface Ethernet 0 to accept packets that have an extended security option present:

interface ethernet 0
 ip security extended-allowed

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security first

To prioritize the presence of security options on a packet, use the ip security first command in interface configuration mode. To prevent packets that include security options from moving to the front of the options field, use the no form of this command.

ip security first

no ip security first

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration command is used.

Examples

The following example ensures that, if a basic security option is present in the options field of a packet exiting interface Ethernet 0, the packet is moved to the front of the options field:

interface ethernet 0
 ip security first

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security ignore-authorities

To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities command in interface configuration mode. To disable this function, use the no form of this command.

ip security ignore-authorities

no ip security ignore-authorities

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

When the packet's authority field is ignored, the value used in place of this field is the authority value declared for the specified interface. The ip security ignore-authorities can be configured only on interfaces that have dedicated security levels.

Examples

The following example causes interface Ethernet 0 to ignore the authorities field on all incoming packets:

interface ethernet 0
 ip security ignore-authorities

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security ignore-cipso

To enable Cisco IOS software to ignore the Commercial IP Security Option (CIPSO) field of all incoming packets at the interface, use the ip security ignore-cipso command in interface configuration mode. To disable this function, use the no form of this command.

ip security ignore-cipso

no ip security ignore-cipso

Syntax Description

This command has no arguments or keywords.

Command Default

Cisco IOS software cannot ignore the CIPSO field.

Command Modes

Interface configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

The ip security ignore-cipso command allows a router running Cisco IOS software to ignore the CIPSO field in the IP packet and forward the packet as if the field was not present.

Examples

The following example shows how to enable Cisco IOS software to ignore the CIPSO field for all incoming packets at the Ethernet interface:

interface ethernet 0
 ip security ignore-cipso

The following sample output from the show ip interface command can be used to verify that the ip security ignore-cipso option has been enabled. If this option is enabled, the output will display the text "Commercial security options are ignored."

Router# show ip interface ethernet 0

Ethernet0 is up, line protocol is up
Internet address is 172.16.0.0/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Secondary address 172.19.56.31/24
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Commercial security options are ignored
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP multicast fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Policy routing is disabled
Network address translation is disabled 

The following sample outputs from the show ip traffic command can be used to verify that the ip security ignore-cipso command has been enabled:

Sample Output Before the ip security ignore-cipso Command Was Introduced

Router# show ip traffic

IP statistics:
Rcvd: 153 total, 129 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 34 bad options, 44 with options
Opts: 10 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 108 received, 1 sent
Mcast: 0 received, 4 sent
Sent: 30 generated, 0 forwarded
2 encapsulation failed, 0 no route 

Sample Output with the ip security ignore-cipso Command Enabled

Router# show ip traffic

IP statistics:
Rcvd: 153 total, 129 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 34 bad options, 44 with options
Opts: 10 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 44 cipso
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 108 received, 1 sent
Mcast: 0 received, 4 sent
Sent: 30 generated, 0 forwarded
2 encapsulation failed, 0 no route

Related Commands

Command
Description

show ip interfaces

Displays the usability status of interfaces configured for IP.

show ip traffic

Displays statistics about IP traffic.


ip security implicit-labelling

To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling command in interface configuration mode. To require security options, use the no form of this command.

ip security implicit-labelling [level authority [authority...]]

no ip security implicit-labelling [level authority [authority...]]

Syntax Description

level

(Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument. (See the level keywords listed in Table 18 in the ip security dedicated command section.)

authority

(Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one. (See the authority keywords listed in Table 19 in the ip security dedicated command section.)


Defaults

Enabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is disabled.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If your interface has multilevel security set, you must use the expanded form of the command (with the optional arguments as noted in brackets) because the arguments are used to specify the precise level and authority to use when labeling the packet. If your interface has dedicated security set, the additional arguments are ignored.

Examples

In the following example, an interface is set for security and will accept unlabeled packets:

ip security dedicated confidential genser
ip security implicit-labelling

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security multilevel

To set the range of classifications and authorities on an interface, use the ip security multilevel command in interface configuration mode. To remove security classifications and authorities, use the no form of this command.

ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]

no ip security multilevel

Syntax Description

level1

Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. (See the level keywords found in Table 18 in the ip security dedicated command section.)

authority1

(Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. (See the authority keywords listed in Table 19 in the ip security dedicated command section.)

to

Separates the range of classifications and authorities.

level2

Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. (See the level keywords found in Table 18 in the ip security dedicated command section.)

authority2

Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. (See the authority keywords listed in Table 19 in the ip security dedicated command section.)


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

All traffic entering or leaving the system must have a security option that falls within this range. Being within range requires that the following two conditions be met:

The classification level must be greater than or equal to level1 and less than or equal to level2.

The authority bits must be a superset of authority1 and a proper subset of authority2. That is, authority1 specifies those authority bits that are required on a packet, and authority2 specifies the required bits plus any optional authorities that also can be included. If the authority1 field is the empty set, then a packet is required to specify any one or more of the authority bits in authority2.

Examples

The following example specifies levels Unclassified to Secret and NSA authority:

ip security multilevel unclassified to secret nsa

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security reserved-allowed

To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed command in interface configuration mode. To disallow packets that have security levels of Reserved3 and Reserved2, use the no form of this command.

ip security reserved-allowed

no ip security reserved-allowed

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

When you set multilevel security on an interface, and indicate, for example, that the highest range allowed is Confidential, and the lowest is Unclassified, the Cisco IOS software neither allows nor operates on packets that have security levels of Reserved3 and Reserved2 because they are undefined.

If you use the IP Security Option (IPSO) to block transmission out of unclassified interfaces, and you use one of the Reserved security levels, you must enable this feature to preserve network security.

Examples

The following example allows a security level of Reserved through Ethernet interface 0:

interface ethernet 0
 ip security reserved-allowed

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security strip

To remove any basic security option on outgoing packets on an interface, use the ip security strip command in interface configuration mode. To restore security options, use the no form of this command.

ip security strip

no ip security strip

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The removal procedure is performed after all security tests in the router have been passed. This command is not allowed for multilevel interfaces.

Examples

The following example removes any basic security options on outgoing packets on Ethernet interface 0:

interface ethernet 0
 ip security strip

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.


ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh {[timeout seconds] | [authentication-retries integer]}

no ip ssh timeout seconds authentication-retries integer

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

authentication-
retries

(Optional) The number of attempts after which the interface is reset.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.


Defaults

120 seconds for the timeout timer

3 authentication-retries

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1) T.


Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Examples

The following examples configure SSH control parameters on your router:

ip ssh timeout 120
ip ssh authentication-retries 3

ip ssh port

To enable secure access to tty (asynchronous) lines, use the ip ssh port command in global configuration mode. To disable this functionality, use the no form of this command.

ip ssh port por-tnum rotary group

no ip ssh port por-tnum rotary group

Syntax Description

port-num

Specifies the port, such as 2001, to which Secure Shell (SSH) needs to connect.

rotary group

Specifies the defined rotary that should search for a valid name.


Defaults

This command is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)T

This command was introduced.


Usage Guidelines

The ip ssh port command supports a functionality that replaces reverse Telnet with SSH. Use this command to securely access the devices attached to the serial ports of a router and to perform the following tasks:

Connect to a router with multiple terminal lines that are connected to consoles of other devices.

Allow network available modems to be securely accessed for dial-out.

Examples

The following example shows how to configure the SSH Terminal-Line Access feature on a modem that is used for dial-out on lines 1 through 200:

line 1 200
 no exec
 login authentication default
 rotary 1
 transport input ssh

ip ssh port 2000 rotary 1

The following example shows how to configure the SSH Terminal-Line Access feature to access the console ports of various devices that are attached to the serial ports of the router. For this type of access, each line is put into its own rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used, and the port (line) mappings of the configuration are as follows: Port 2001 = Line 1, Port 2002 = Line 2, and Port 2003 = Line 3.

line 1
 no exec
 login authentication default
 rotary 1
 transport input ssh
line 2
 no exec
 login authentication default
 rotary 2
 transport input ssh
line 3
 no exec
 login authentication default
 rotary 3
 transport input ssh

ip ssh port 2001 rotary 1 3

From any UNIX or UNIX-like device, the following command is typically used to form an SSH session:
ssh -c 3des -p 2002 router.example.com

This command will initiate an SSH session using the 3DES cipher to the device known as "router.example.com," which uses port 2002. This device will connect to the device on Line 2, which was associated with port 2002. Similarly, many Windows SSH packages have related methods of selecting the cipher and the port for this access.

Related Commands

Command
Description

ip ssh

Configures SSH control variables on your router.

line

Identifies a specific line for configuration and begins the command in line configuration mode.

rotary

Defines a group of lines consisting of one or more lines.

ssh

Starts an encrypted session with a remote networking device.

transport input

Defines which protocols to use to connect to a specific line of the router.


ip ssh source-interface

To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.

ip ssh source-interface interface

no ip ssh source-interface interface

Syntax Description

interface

The interface whose address is used as the source address for the SSH client.


Defaults

The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.

Examples

In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:

ip ssh source-interface ethernet0

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Syntax Description

subinterface-name

Name of the interface that TACACS+ uses for all of its outgoing packets.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Examples

The following example makes TACACS+ use the IP address of subinterface s2 for all outgoing TACACS+ packets:

ip tacacs source-interface s2

Related Commands

Command
Description

ip radius source-interface

Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

ip telnet source-interface

Allows a user to select an address of an interface as the source address for Telnet connections.

ip tftp source-interface

Allows a user to select the interface whose address will be used as the source address for TFTP connections.


ip tcp intercept connection-timeout

To change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp intercept connection-timeout command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept connection-timeout seconds

no ip tcp intercept connection-timeout [seconds]

Syntax Description

seconds

Time (in seconds) that the software will still manage the connection after no activity. The minimum value is 1 second. The default is 86,400 seconds (24 hours).


Defaults

86,400 seconds (24 hours)

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

Use the ip tcp intercept connection-timeout command to change how long a TCP connection will be managed by the TCP intercept after a period of inactivity.

Examples

The following example sets the software to manage the connection for 12 hours (43,200 seconds) after no activity:

ip tcp intercept connection-timeout 43200

ip tcp intercept drop-mode

To set the TCP intercept drop mode, use the ip tcp intercept drop-mode command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept drop-mode [oldest | random]

no ip tcp intercept drop-mode [oldest | random]

Syntax Description

oldest

(Optional) Software drops the oldest partial connection. This is the default.

random

(Optional) Software drops a randomly selected partial connection.


Defaults

oldest

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

If the number of incomplete connections exceeds 1100 or the number of connections arriving in the last 1 minute exceeds 1100, the TCP intercept feature becomes more aggressive. When this happens, each new arriving connection causes the oldest partial connection to be deleted, and the initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection will be cut in half).

Note that the 1100 thresholds can be configured with the ip tcp intercept max-incomplete high and
ip tcp intercept one-minute high commands.

Use the ip tcp intercept drop-mode command to change the dropping strategy from oldest to a random drop.

Examples

The following example sets the drop mode to random:

ip tcp intercept drop-mode random

Related Commands

Command
Description

ip tcp intercept max-incomplete high

Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.

ip tcp intercept max-incomplete low

Defines the number of incomplete connections below which the software leaves aggressive mode.

ip tcp intercept one-minute high

Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.

ip tcp intercept one-minute low

Defines the number of connection requests below which the software leaves aggressive mode.


ip tcp intercept finrst-timeout

To change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use the ip tcp intercept finrst-timeout command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept finrst-timeout seconds

no ip tcp intercept finrst-timeout [seconds]

Syntax Description

seconds

Time (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the connection. The minimum value is 1 second. The default is 5 seconds.


Defaults

5 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

Even after the two ends of the connection are joined, the software intercepts packets being sent back and forth. Use this command if you need to adjust how soon after receiving a reset or FIN-exchange the software stops intercepting packets.

Examples

The following example sets the software to wait for 10 seconds before it leaves intercept mode:

ip tcp intercept finrst-timeout 10

ip tcp intercept list

To enable TCP intercept, use the ip tcp intercept list command in global configuration mode. To disable TCP intercept, use the no form of this command.

ip tcp intercept list access-list-number

no ip tcp intercept list access-list-number

Syntax Description

access-list-number

Extended access list number in the range from 100 to 199.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

The TCP intercept feature intercepts TCP connection attempts and shields servers from TCP SYN-flood attacks, also known as denial-of-service attacks.

TCP packets matching the access list are presented to the TCP intercept code for processing, as determined by the ip tcp intercept mode command. The TCP intercept code either intercepts or watches the connections.

To have all TCP connection attempts submitted to the TCP intercept code, have the access list match everything.

Examples

The following example configuration defines access list 101, causing the software to intercept packets for all TCP servers on the 192.168.1.0/24 subnet:

ip tcp intercept list 101
!
access-list 101 permit tcp any 192.168.1.0 0.0.0.255

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

ip tcp intercept mode

Changes the TCP intercept mode.

show tcp intercept connections

Displays TCP incomplete and established connections.

show tcp intercept statistics

Displays TCP intercept statistics.


ip tcp intercept max-incomplete high

To define the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete high command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept max-incomplete high number

no ip tcp intercept max-incomplete high [number]

Syntax Description

number

Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is from 1 to 2147483647. The default is 1100.


Defaults

1100 incomplete connections

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

If the number of incomplete connections exceeds the number configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:

Each new arriving connection causes the oldest partial connection to be deleted.

The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half).

The watch-timeout is cut in half (from 30 seconds to 15 seconds).

You can change the drop strategy from the oldest connection to a random connection with the
ip tcp intercept drop-mode
command.


Note The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.


The software will back off from its aggressive mode when the number of incomplete connections falls below the number specified by the ip tcp intercept max-incomplete low command.

Examples

The following example allows 1500 incomplete connections before the software enters aggressive mode:

ip tcp intercept max-incomplete high 1500

Related Commands

Command
Description

ip tcp intercept drop-mode

Sets the TCP intercept drop mode.

ip tcp intercept max-incomplete low

Defines the number of incomplete connections below which the software leaves aggressive mode.

ip tcp intercept one-minute high

Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.

ip tcp intercept one-minute low

Defines the number of connection requests below which the software leaves aggressive mode.


ip tcp intercept max-incomplete low

To define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp intercept max-incomplete low command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept max-incomplete low number

no ip tcp intercept max-incomplete low [number]

Syntax Description

number

Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.


Defaults

900 incomplete connections

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.


Note The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.


See the ip tcp intercept max-incomplete high command for a description of aggressive mode.

Examples

The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000:

ip tcp intercept max-incomplete low 1000

Related Commands

Command
Description

ip tcp intercept drop-mode

Sets the TCP intercept drop mode.

ip tcp intercept max-incomplete high

Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.

ip tcp intercept one-minute high

Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.

ip tcp intercept one-minute low

Defines the number of connection requests below which the software leaves aggressive mode.


ip tcp intercept mode

To change the TCP intercept mode, use the ip tcp intercept mode command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept mode {intercept | watch}

no ip tcp intercept mode [intercept | watch]

Syntax Description

intercept

Active mode in which the TCP intercept software intercepts TCP packets from clients to servers that match the configured access list and performs intercept duties. This is the default.

watch

Monitoring mode in which the software allows connection attempts to pass through the router and watches them until they are established.


Defaults

intercept

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

When TCP intercept is enabled, it operates in intercept mode by default. In intercept mode, the software actively intercepts TCP SYN packets from clients to servers that match the specified access list. For each SYN, the software responds on behalf of the server with an ACK and SYN, and waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is sent to the server, and the code then performs a three-way handshake with the server. Then the two half-connections are joined.

In watch mode, the software allows connection attempts to pass through the router, but watches them until they become established. If they fail to become established in 30 seconds (or the value set by the ip tcp intercept watch-timeout command), a Reset is sent to the server to clear its state.

Examples

The following example sets the mode to watch mode:

ip tcp intercept mode watch

Related Commands

Command
Description

ip tcp intercept watch-timeout

Defines how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server.


ip tcp intercept one-minute high

To define the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode, use the ip tcp intercept one-minute high command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept one-minute high number

no ip tcp intercept one-minute high [number]

Syntax Description

number

Specifies the number of connection requests that can be received in the last one-minute sample period before the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.


Defaults

1100 connection requests

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

If the number of connection requests exceeds the number value configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:

Each new arriving connection causes the oldest partial connection to be deleted.

The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half).

The watch-timeout is cut in half (from 30 seconds to 15 seconds).

You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.


Note The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.


Examples

The following example allows 1400 connection requests before the software enters aggressive mode:

ip tcp intercept one-minute high 1400

Related Commands

Command
Description

ip tcp intercept drop-mode

Sets the TCP intercept drop mode.

ip tcp intercept max-incomplete high

Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.

ip tcp intercept max-incomplete low

Defines the number of incomplete connections below which the software leaves aggressive mode.

ip tcp intercept one-minute low

Defines the number of connection requests below which the software leaves aggressive mode.


ip tcp intercept one-minute low

To define the number of connection requests below which the software leaves aggressive mode, use the ip tcp intercept one-minute low command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept one-minute low number

no ip tcp intercept one-minute low [number]

Syntax Description

number

Defines the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.


Defaults

900 connection requests

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.


Note The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.


See the ip tcp intercept one-minute high command for a description of aggressive mode.

Examples

The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000:

ip tcp intercept one-minute low 1000

Related Commands

Command
Description

ip tcp intercept drop-mode

Sets the TCP intercept drop mode.

ip tcp intercept max-incomplete high

Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.

ip tcp intercept max-incomplete low

Defines the number of incomplete connections below which the software leaves aggressive mode.

ip tcp intercept one-minute high

Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.


ip tcp intercept watch-timeout

To define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server, use the ip tcp intercept watch-timeout command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept watch-timeout seconds

no ip tcp intercept watch-timeout [seconds]

Syntax Description

seconds

Time (in seconds) that the software waits for a watched connection to reach established state before sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.


Defaults

30 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

Use this command if you have set the TCP intercept to passive watch mode and you want to change the default time the connection is watched. During aggressive mode, the watch timeout time is cut in half.

Examples

The following example sets the software to wait 60 seconds for a watched connection to reach established state before sending a Reset to the server:

ip tcp intercept watch-timeout 60

Related Commands

Command
Description

ip tcp intercept mode

Changes the TCP intercept mode.