|
|
This chapter describes the function and displays the syntax for Context-Based Access Control (CBAC) commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To specify the DNS idle timeout (the length of time a DNS name lookup session will still be managed after no activity), use the ip inspect dns-timeout global configuration command. Use the no form of this command to reset the timeout to the default of 5 seconds.
ip inspect dns-timeout seconds
seconds | Specifies the length of time a DNS name lookup session will still be managed after no activity. |
To apply a set of inspection rules to an interface, use the ip inspect interface configuration command. Use the no form of this command to remove the set of rules from the interface.
ip inspect inspection-name {in | out}
inspection-name | Identifies which set of inspection rules to apply. |
in | Applies the inspection rules to inbound traffic. |
out | Applies the inspection rules to outbound traffic. |
To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high global configuration command. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.
ip inspect max-incomplete high number
number | Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. |
To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low global configuration command. Use the no form of this command to reset the threshold to the default of 400 half-open sessions.
ip inspect max-incomplete low number
number | Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. |
To define a set of inspection rules, use the ip inspect name global configuration command. Use the no form of this command to remove the inspection rule for a protocol or to remove the entire set of inspection rules.
ip inspect name inspection-name protocol [timeout seconds]
inspection-name | Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. |
protocol | A protocol keyword. |
timeout seconds | (Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout. |
java-list access-list | (Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists. |
rpc program-number number | Specifies the program number to permit. This keyword is available only for the RPC protocol. |
wait-time minutes | (Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol. |
To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high global configuration command. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.
ip inspect one-minute high number
number | Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions. |
To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low global configuration command. Use the no form of this command to reset the threshold to the default of 400 half-open sessions.
ip inspect one-minute low number
number | Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. |
To define how long a TCP session will still be managed after the firewall detects a FIN-exchange, use the ip inspect tcp finwait-time global configuration command. Use the no form of this command to reset the timeout to the default of 5 seconds.
ip inspect tcp finwait-time seconds
seconds | Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange. |
To specify the TCP idle timeout (the length of time a TCP session will still be managed after no activity), use the ip inspect tcp idle-time global configuration command. Use the no form of this command to reset the timeout to the default of 3600 seconds (1 hour).
ip inspect tcp idle-time seconds
seconds | Specifies the length of time a TCP session will still be managed after no activity. |
To specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention, use the ip inspect tcp max-incomplete host global configuration command. Use the no form of this command to reset the threshold and blocking time to the default values.
ip inspect tcp max-incomplete host number block-time seconds
number | Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. |
seconds | Specifies how long the software will continue to delete new connection requests to the host. |
To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time global configuration command. Use the no form of this command to reset the timeout to the default of 30 seconds.
ip inspect tcp synwait-time seconds
seconds | Specifies how long the software will wait for a TCP session to reach the established state before dropping the session. |
To specify the UDP idle timeout (the length of time a UDP "session" will still be managed after no activity), use the ip inspect udp idle-time global configuration command. Use the no form of this command to reset the timeout to the default of 30 seconds.
ip inspect udp idle-time seconds
seconds | Specifies the length of time a UDP "session" will still be managed after no activity. |
To turn off Context-based Access Control (CBAC) completely at a firewall, use the no ip inspect global configuration command.
no ip inspectTo view CBAC configuration and session information, use the show ip inspect privileged EXEC command.
show ip inspect {name inspection-name | config | interfaces | session [detail] | all}
name inspection-name | Shows the configured inspection rule with the name inspection-name. |
config | Shows the complete CBAC inspection configuration. |
interfaces | Shows interface configuration with respect to applied inspection rules and access lists. |
session [detail] | Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown. |
all | Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC. |
Posted: Mon Feb 8 13:40:35 PST 1999
Copyright 1989-1999©Cisco Systems Inc.