|
|
This chapter explains the function and syntax of the Context-based Access Control (CBAC) commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
Syntax Description
This command has no arguments or keywords.
Syntax Description
This command has no arguments or keywords.
Syntax Description
seconds Specifies the length of time a DNS name lookup session will still be managed after no activity.
To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. Use the no form of this command to remove the set of rules from the interface.
ip inspect inspection-name {in | out}
Syntax Description
inspection-name Identifies which set of inspection rules to apply. in Applies the inspection rules to inbound traffic. out Applies the inspection rules to outbound traffic.
Syntax Description
number Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions.
Syntax Description
number Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.
HTTP Inspection Syntax
ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only)
no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)
RPC Inspection Syntax
ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (RPC protocol only)
no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)
Fragment Inspection Syntax
ip inspect name inspection-name fragment [max number timeout seconds]
no ip inspect name inspection-name fragment (removes fragment inspection for a rule)
Syntax Description
inspection-name Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. protocol A protocol keyword listed in Table 40. alert {on | off} (Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command. audit-trail {on | off} (Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, audit trail message are generated based on the setting of the ip inspect audit-trail command. http (Optional) Specifies the HTTP protocol for Java applet blocking. timeout seconds (Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout. java-list access-list (Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists. rpc program-number number Specifies the program number to permit. This keyword is available only for the RPC protocol. wait-time minutes (Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol. fragment Specifies fragment inspection for the named rule. max number Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries. Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted. timeout seconds Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second. If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.
(fragmentation)
| Protocol | protocol Keyword |
|---|---|
Transport-Layer Protocols |
|
TCP | tcp |
UDP | udp |
Application-Layer Protocols |
|
CU-SeeMe | cuseeme |
FTP | ftp |
Java | http |
H.323 | h323 |
Microsoft NetShow | netshow |
UNIX R commands (rlogin, rexec, rsh) | rcmd |
RealAudio | realaudio |
RPC | rpc |
SMTP | smtp |
SQL*Net | sqlnet |
StreamWorks | streamworks |
TFTP | tftp |
VDOLive | vdolive |
Syntax Description
number Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions.
Syntax Description
number Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.
Syntax Description
seconds Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange.
Syntax Description
seconds Specifies the length of time a TCP session will still be managed after no activity.
Syntax Description
number Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. block-time Specifies blocking of connection initiation to a host. minutes Specifies how long the software will continue to delete new connection requests to the host.
Syntax Description
seconds Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
Syntax Description
seconds Specifies the length of time a UDP "session" will still be managed after no activity.
Syntax Description
This command has no arguments or keywords.
Syntax Description
name inspection-name Shows the configured inspection rule with the name inspection-name. config Shows the complete CBAC inspection configuration. interfaces Shows interface configuration with respect to applied inspection rules and access lists. session [detail] Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown. all Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Wed Jul 26 16:13:54 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.