|
|
This chapter describes Context-based Access Control (CBAC) commands. CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information and can be used for intranets, extranets and internets. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CBAC.
For configuration information, refer to the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide.
Syntax Description
This command has no arguments or keywords.
Defaults
Alert messages are displayed.
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use the ip inspect alert-off command to disable alert messages.
Examples
The following example turns off CBAC alert messages:
no ip inspect alert-off
Syntax Description
This command has no arguments or keywords.
Defaults
Audit trail messages are not displayed.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
Use this command to turn on CBAC audit trail messages.
Examples
The following example turns on CBAC audit trail messages:
ip inspect audit trail
Afterward, audit trail messages such as the following are displayed:
%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes %FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytes
These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address.
Syntax Description
seconds Specifies the length of time a DNS name lookup session will still be managed after no activity.
Defaults
5 seconds.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
When the software detects a valid UDP packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session.
If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session.
The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC.
The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command.
Examples
The following example sets the DNS idle timeout to 30 seconds:
ip inspect dns-timeout 30
The following example sets the DNS idle timeout back to the default (5 seconds):
no ip inspect dns-timeout
To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. Use the no form of this command to remove the set of rules from the interface.
ip inspect inspection-name {in | out}
Syntax Description
inspection-name Identifies which set of inspection rules to apply. in Applies the inspection rules to inbound traffic. out Applies the inspection rules to outbound traffic.
Defaults
If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC.
Command Modes
Interface configuration
Command History
11.2 This command was introduced.
Release
Modification
Usage Guidelines
Use this command to apply a set of inspection rules to an interface.
Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.
If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.
If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.
Examples
interface serial0 ip inspect outboundrules out
Related Commands
Defines a set of inspection rules.
Command
Description
Syntax Description
number Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions.
Defaults
500 half-open sessions.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
ip inspect max-incomplete high 900 ip inspect max-incomplete low 800
Related Commands
Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.
Command
Description
Syntax Description
number Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.
Defaults
400 half-open sessions.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
ip inspect max-incomplete high 900 ip inspect max-incomplete low 800
Related Commands
Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions. Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.
Command
Description
HTTP Inspection Syntax
ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only)
no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)
RPC Inspection Syntax
ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (RPC protocol only)
no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)
Fragment Inspection Syntax
ip inspect name inspection-name fragment [max number timeout seconds]
no ip inspect name inspection-name fragment (removes fragment inspection for a rule)
Syntax Description
inspection-name Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. protocol A protocol keyword listed in Table 15. alert {on | off} (Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command. audit-trail {on | off} (Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, audit trail message are generated based on the setting of the ip inspect audit-trail command. http (Optional) Specifies the HTTP protocol for Java applet blocking. timeout seconds (Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout. java-list access-list (Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists. rpc program-number number Specifies the program number to permit. This keyword is available only for the RPC protocol. wait-time minutes (Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol. fragment Specifies fragment inspection for the named rule. max number Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries. Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted. timeout seconds Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second. If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.
(fragmentation)
| Protocol | protocol Keyword |
|---|---|
Transport-Layer Protocols |
|
TCP | tcp |
UDP | udp |
Application-Layer Protocols |
|
CU-SeeMe | cuseeme |
FTP | ftp |
Java | http |
H.323 | h323 |
Microsoft NetShow | netshow |
UNIX R commands (rlogin, rexec, rsh) | rcmd |
RealAudio | realaudio |
RPC | rpc |
SMTP | smtp |
SQL*Net | sqlnet |
StreamWorks | streamworks |
TFTP | tftp |
VDOLive | vdolive |
Defaults
No inspection rules are defined until you define them using this command.
Command Modes
Global configuration
Command History
11.2P This command was introduced. 12.0(5)T Introduced configurable alert and audit trail, IP fragmentation checking, and NetShow protocol support.
Release
Modification
Usage Guidelines
To define a set of inspection rules, enter this command for each protocol that you want Context-based Access Control (CBAC) to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name. Define either one or two sets of rules per interface---you can define one set to examine both inbound and outbound traffic; or you can define two sets: one for outbound traffic and one for inbound traffic.
To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP or UDP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name.
In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.
TCP and UDP Inspection
Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.
With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.
Application-Layer Protocol Inspection
Java, H.323, RPC, and SMTP, and SQL*Net inspection have additional information, described in the next four sections.
Java Inspection
 |
Note Before you configure Java inspection, you must configure a standard access list that defines "friendly" and "hostile" external sites. You configure this access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure an access list, but use a "placeholder" access list in the ip inspect name (global) inspection-name http command, all Java applets will be blocked. |
H.323 Inspection
RPC Inspection
SMTP Inspection
Use of the timeout Keyword
If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.
If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.
IP Fragmentation Inspection
CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.
|
Note Fragmentation inspection can have undesirable effects in certain cases, because it can result in the firewall discarding any packet whose fragments arrive out of order. There are many circumstances that can cause out-of-order delivery of legitimate fragments. Apply fragmentation inspection in situations where legitimate fragments, which are likely to arrive out of order, might have a severe performance impact. |
Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name (global) command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded.
Examples
The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted.
ip inspect name myrules tcp ip inspect name myrules udp audit-trail on ip inspect name myrules cuseeme ip inspect name myrules ftp timeout 120 ip inspect name myrules rpc program-number 100003 ip inspect name myrules rpc program-number 100005 ip inspect name myrules rpc program-number 100021
The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named myname. In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly.
ip inspect name myrules tcp ip inspect name myrules udp audit-trail on ip inspect name myrules cuseeme ip inspect name myrules ftp timeout 120 ip inspect name myrules rpc program-number 100003 ip inspect name myrules rpc program-number 100005 ip inspect name myrules rpc program-number 100021 ip inspect name myrules fragment max 100 timeout 4
Related Commands
Applies a set of inspection rules to an interface. Turns on CBAC audit trail messages, which will be displayed on the console after each CBAC session close. Disables CBAC alert messages.
Command
Description
Syntax Description
number Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions.
Defaults
500 half-open sessions.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
ip inspect one-minute high 1000 ip inspect one-minute low 950
Related Commands
Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions. Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.
Command
Description
Syntax Description
number Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.
Defaults
400 half-open sessions.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
ip inspect one-minute high 1000 ip inspect one-minute low 950
Related Commands
Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions. Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.
Command
Description
Syntax Description
seconds Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange.
Defaults
5 seconds.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
When the software detects a valid TCP packet that is the first in a session, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.
Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close.
The global value specified for this timeout applies to all TCP sessions inspected by CBAC.
The timeout set with this command is referred to as the "finwait" timeout.
|
Note If the -n option is used with rsh, and the commands being executed do not produce output before the "finwait" timeout, the session will be dropped and no further output will be seen. |
Examples
The following example changes the "finwait" timeout to 10 seconds:
ip inspect tcp finwait-time 10
The following example changes the "finwait" timeout back to the default (5 seconds):
no ip inspect tcp finwait-time
Syntax Description
seconds Specifies the length of time a TCP session will still be managed after no activity.
Defaults
3600 seconds (1 hour).
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
When the software detects a valid TCP packet that is the first in a session, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.
If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session.
The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the
ip inspect name (global configuration) command.
|
Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the TCP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value. |
Examples
The following example sets the global TCP idle timeout to 1800 seconds (30 minutes):
ip inspect tcp idle-time 1800
The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour):
no ip inspect tcp idle-time
Syntax Description
number Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. block-time Specifies blocking of connection initiation to a host. minutes Specifies how long the software will continue to delete new connection requests to the host.
Defaults
50 half-open sessions and 0 minutes.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state.
Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:
The software also sends syslog messages whenever the max-incomplete host number is exceeded, and when blocking of connection initiations to a host starts or ends.
The global values specified for the threshold and blocking time apply to all TCP connections inspected by CBAC.
Examples
ip inspect tcp max-incomplete host 40 block-time 120
The following example resets the defaults (50 half-open sessions and 0 seconds):
no ip inspect tcp max-incomplete host
Related Commands
Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions. Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.
Command
Description
Syntax Description
seconds Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
Defaults
30 seconds.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
Use this command to define how long software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session's first SYN bit is detected.
The global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control (CBAC).
Examples
The following example changes the "synwait" timeout to 20 seconds:
ip inspect tcp synwait-time 20
The following example changes the "synwait" timeout back to the default (30 seconds):
no ip inspect tcp synwait-time
Syntax Description
seconds Specifies the length of time a UDP "session" will still be managed after no activity.
Defaults
30 seconds.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source/destination addresses) and if the packet was detected soon after another similar UDP packet.
If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.
The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the
ip inspect name (global configuration) command.
|
Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the UDP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value. |
Examples
The following example sets the global UDP idle timeout to 120 seconds (2 minutes):
ip inspect udp idle-time 120
The following example sets the global UDP idle timeout back to the default of 30 seconds:
no ip inspect udp idle-time
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
Turn off CBAC with the no ip inspect global configuration command.
|
Note The no in inspect command removes all CBAC configuration entries and resets all CBAC global timeouts and thresholds to the defaults. All existing sessions are deleted and their associated access lists are removed. |
Examples
The following example turns off CBAC at a firewall:
no ip inspect
Syntax Description
name inspection-name Shows the configured inspection rule with the name inspection-name. config Shows the complete CBAC inspection configuration. interfaces Shows interface configuration with respect to applied inspection rules and access lists. session [detail] Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown. all Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
Command Modes
Privileged EXEC
Command History
11.2 P This command was introduced.
Release
Modification
Usage Guidelines
Use this command to view the CBAC configuration and session information.
Examples
Inspection Rule Configuration
Inspection name myinspectionrule
tcp timeout 3600
udp timeout 30
ftp timeout 3600
The output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.
The following is sample output for the show ip inspect config command:
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name myinspectionrule
tcp timeout 3600
udp timeout 30
ftp timeout 3600
The output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.
The following is sample output for the show ip inspect interfaces command:
Interface Configuration
Interface Ethernet0
Inbound inspection rule is myinspectionrule
tcp timeout 3600
udp timeout 30
ftp timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
The following is sample output for the show ip inspect sessions command:
Established Sessions Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN
The output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.
The following is sample output for the show ip inspect sessions detail command:
Established Sessions Session 25A335C (40.0.0.1:20)=>(30.0.0.1:46069) ftp-data SIS_OPEN Created 00:00:07, Last heard 00:00:00 Bytes sent (initiator:responder) [0:3416064] acl created 1 Inbound access-list 111 applied to interface Ethernet1 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN Created 00:01:34, Last heard 00:00:07 Bytes sent (initiator:responder) [196:616] acl created 1 Inbound access-list 111 applied to interface Ethernet1
The output includes times, number of bytes sent, and which access list is applied.
The following is sample output for the show ip inspect all command:
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name all
tcp timeout 3600
udp timeout 30
ftp timeout 3600
Interface Configuration
Interface Ethernet0
Inbound inspection rule is all
tcp timeout 3600
udp timeout 30
ftp timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Established Sessions
Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN
Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN
Posted: Tue Apr 4 17:39:14 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.