Context-Based Access Control Commands

ip inspect alert-off

ip inspect audit trail

ip inspect dns-timeout

ip inspect

ip inspect max-incomplete high

ip inspect max-incomplete low

ip inspect name

ip inspect one-minute high

ip inspect one-minute low

ip inspect tcp finwait-time

ip inspect tcp idle-time

ip inspect tcp max-incomplete host

ip inspect tcp synwait-time

ip inspect udp idle-time

no ip inspect

show ip inspect

Context-Based Access Control Commands

This chapter explains the function and syntax of the Context-based Access Control (CBAC) commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

ip inspect alert-off

To disable CBAC alert messages, which are displayed on the console, use the ip inspect alert off command in global configuration mode. To enable CBAC alert messages, use the no form of this command.

ip inspect alert-off

no ip inspect alert-off

Syntax Description

This command has no arguments or keywords.

ip inspect audit trail

To turn on CBAC audit trail messages, which are displayed on the console after each CBAC session closes, use the ip inspect audit trail command in global configuration mode. Use the no form of this command to turn off CBAC audit trail messages.

ip inspect audit trail

no ip inspect audit trail

Syntax Description

This command has no arguments or keywords.

ip inspect dns-timeout

To specify the DNS idle timeout (the length of time a DNS name lookup session will still be managed after no activity), use the ip inspect dns-timeout command in global configuration mode. Use the no form of this command to reset the timeout to the default of 5 seconds.

ip inspect dns-timeout seconds

no ip inspect dns-timeout

Syntax Description

seconds

Specifies the length of time a DNS name lookup session will still be managed after no activity.

seconds	Specifies the length of time a DNS name lookup session will still be managed after no activity.

ip inspect

To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. Use the no form of this command to remove the set of rules from the interface.

ip inspect inspection-name {in | out}

no ip inspect inspection-name {in | out}

Syntax Description

inspection-name

Identifies which set of inspection rules to apply.

in

Applies the inspection rules to inbound traffic.

out

Applies the inspection rules to outbound traffic.

inspection-name	Identifies which set of inspection rules to apply.
in	Applies the inspection rules to inbound traffic.
out	Applies the inspection rules to outbound traffic.

ip inspect max-incomplete high

To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.

ip inspect max-incomplete high number

no ip inspect max-incomplete high

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

number	Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

ip inspect max-incomplete low

To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. Use the no form of this command to reset the threshold to the default of 400 half-open sessions.

ip inspect max-incomplete low number

no ip inspect max-incomplete low

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

number	Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

ip inspect name

To define a set of inspection rules, use the ip inspect name command in global configuration mode. Use the no form of this command to remove the inspection rule for a protocol or to remove the entire set of inspection rules.

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)

no ip inspect name (removes the entire set of inspection rules)

HTTP Inspection Syntax

ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only)

no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)

RPC Inspection Syntax

ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (RPC protocol only)

no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)

Fragment Inspection Syntax

ip inspect name inspection-name fragment [max number timeout seconds]

no ip inspect name inspection-name fragment (removes fragment inspection for a rule)

Syntax Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

protocol

A protocol keyword listed in Table 40.

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command.

audit-trail {on | off}

(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, audit trail message are generated based on the setting of the ip inspect audit-trail command.

http

(Optional) Specifies the HTTP protocol for Java applet blocking.

timeout seconds

(Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout.

java-list access-list

(Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists.

rpc program-number number

Specifies the program number to permit. This keyword is available only for the RPC protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.

fragment

Specifies fragment inspection for the named rule.

max number

Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries.

Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

timeout seconds
(fragmentation)

Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second.

If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.

inspection-name	Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.
protocol	A protocol keyword listed in Table 40.
alert {on \| off}	(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command.
audit-trail {on \| off}	(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, audit trail message are generated based on the setting of the ip inspect audit-trail command.
http	(Optional) Specifies the HTTP protocol for Java applet blocking.
timeout seconds	(Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout.
java-list access-list	(Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists.
rpc program-number number	Specifies the program number to permit. This keyword is available only for the RPC protocol.
wait-time minutes	(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.
fragment	Specifies fragment inspection for the named rule.
max number	Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries. Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.
timeout seconds (fragmentation)	Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second. If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.

Table 40: Protocol Keywords

Protocol protocol Keyword

Transport-Layer Protocols

TCP

tcp

UDP

udp

Application-Layer Protocols

CU-SeeMe

cuseeme

FTP

ftp

Java

http

H.323

h323

Microsoft NetShow

netshow

UNIX R commands (rlogin, rexec, rsh)

rcmd

RealAudio

realaudio

RPC

rpc

SMTP

smtp

SQL*Net

sqlnet

StreamWorks

streamworks

TFTP

tftp

VDOLive

vdolive

Protocol	protocol Keyword
Transport-Layer Protocols
TCP	tcp
UDP	udp
Application-Layer Protocols
CU-SeeMe	cuseeme
FTP	ftp
Java	http
H.323	h323
Microsoft NetShow	netshow
UNIX R commands (rlogin, rexec, rsh)	rcmd
RealAudio	realaudio
RPC	rpc
SMTP	smtp
SQL*Net	sqlnet
StreamWorks	streamworks
TFTP	tftp
VDOLive	vdolive

ip inspect one-minute high

To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high command in global configuration mode. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.

ip inspect one-minute high number

no ip inspect one-minute high

Syntax Description

number

Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions.

number	Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions.

ip inspect one-minute low

To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low command in global configuration mode. Use the no form of this command to reset the threshold to the default of 400 half-open sessions.

ip inspect one-minute low number

no ip inspect one-minute low

Syntax Description

number

Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

number	Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

ip inspect tcp finwait-time

To define how long a TCP session will still be managed after the firewall detects a FIN-exchange, use the ip inspect tcp finwait-time command in global configuration mode. Use the no form of this command to reset the timeout to the default of 5 seconds.

ip inspect tcp finwait-time seconds

no ip inspect tcp finwait-time

Syntax Description

seconds

Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange.

seconds	Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange.

ip inspect tcp idle-time

To specify the TCP idle timeout (the length of time a TCP session will still be managed after no activity), use the ip inspect tcp idle-time command in global configuration mode. Use the no form of this command to reset the timeout to the default of 3600 seconds (1 hour).

ip inspect tcp idle-time seconds

no ip inspect tcp idle-time

Syntax Description

seconds

Specifies the length of time a TCP session will still be managed after no activity.

seconds	Specifies the length of time a TCP session will still be managed after no activity.

ip inspect tcp max-incomplete host

To specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention, use the ip inspect tcp max-incomplete host command in global configuration mode. Use the no form of this command to reset the threshold and blocking time to the default values.

ip inspect tcp max-incomplete host number block-time minutes

no ip inspect tcp max-incomplete host

Syntax Description

number

Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250.

block-time

Specifies blocking of connection initiation to a host.

minutes

Specifies how long the software will continue to delete new connection requests to the host.

number	Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250.
block-time	Specifies blocking of connection initiation to a host.
minutes	Specifies how long the software will continue to delete new connection requests to the host.

ip inspect tcp synwait-time

To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time command in global configuration mode. Use the no form of this command to reset the timeout to the default of 30 seconds.

ip inspect tcp synwait-time seconds

no ip inspect tcp synwait-time

Syntax Description

seconds

Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.

seconds	Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.

ip inspect udp idle-time

To specify the UDP idle timeout (the length of time a UDP "session" will still be managed after no activity), use the ip inspect udp idle-time command in global configuration mode. Use the no form of this command to reset the timeout to the default of 30 seconds.

ip inspect udp idle-time seconds

no ip inspect udp idle-time

Syntax Description

seconds

Specifies the length of time a UDP "session" will still be managed after no activity.

seconds	Specifies the length of time a UDP "session" will still be managed after no activity.

no ip inspect

To turn off Context-based Access Control (CBAC) completely at a firewall, use the no ip inspect command in global configuration mode.

no ip inspect

Syntax Description

This command has no arguments or keywords.

show ip inspect

To view CBAC configuration and session information, use the show ip inspect command in privileged EXEC mode.

show ip inspect {name inspection-name | config | interfaces | session [detail] | all}

Syntax Description

name inspection-name

Shows the configured inspection rule with the name inspection-name.

config

Shows the complete CBAC inspection configuration.

interfaces

Shows interface configuration with respect to applied inspection rules and access lists.

session [detail]

Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown.

all

Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.

name inspection-name	Shows the configured inspection rule with the name inspection-name.
config	Shows the complete CBAC inspection configuration.
interfaces	Shows interface configuration with respect to applied inspection rules and access lists.
session [detail]	Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown.
all	Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.

Table of Contents