|
|
This chapter explains the function and syntax of the TCP intercept commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
To change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp intercept connection-timeout command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept connection-timeout seconds
Syntax Description
seconds Time (in seconds) that the software will still manage the connection after no activity. The minimum value is 1 second. The default is 86400 seconds (24 hours).
To set the TCP intercept drop mode, use the ip tcp intercept drop-mode command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept drop-mode {oldest | random}
Syntax Description
oldest Software drops the oldest partial connection. This is the default. random Software drops a randomly selected partial connection.
To change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use the ip tcp intercept finrst-timeout command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept finrst-timeout seconds
Syntax Description
seconds Time (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the connection. The minimum value is 1 second. The default is 5 seconds.
To enable TCP intercept, use the ip tcp intercept list command in global configuration mode. Use the no form of this command to disable TCP intercept.
ip tcp intercept list access-list-number
Syntax Description
access-list-number Extended access list number in the range 100 to 199.
To define the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete high command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept max-incomplete high number
Syntax Description
number Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.
To define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp intercept max-incomplete low command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept max-incomplete low number
Syntax Description
number Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.
To change the TCP intercept mode, use the ip tcp intercept mode command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept mode {intercept | watch}
Syntax Description
intercept Active mode in which the TCP intercept software intercepts TCP packets from clients to servers that match the configured access list and performs intercept duties. This is the default. watch Monitoring mode in which the software allows connection attempts to pass through the router and watches them until they are established.
To define the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode, use the ip tcp intercept one-minute high command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept one-minute high number
Syntax Description
number Specifies the number of connection requests that can be received in the last one-minute sample period before the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.
To define the number of connection requests below which the software leaves aggressive mode, use the ip tcp intercept one-minute low command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept one-minute low number
Syntax Description
number Defines the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.
To define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server, use the ip tcp intercept watch-timeout command in global configuration mode. Use the no form of this command to restore the default.
ip tcp intercept watch-timeout seconds
Syntax Description
seconds Time (in seconds) that the software waits for a watched connection to reach established state before sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.
To display TCP incomplete and established connections, use the show tcp intercept connections command in EXEC mode.
show tcp intercept connectionsSyntax Description
This command has no arguments or keywords.
To display TCP intercept statistics, use the show tcp intercept statistics command in EXEC mode.
show tcp intercept statisticsSyntax Description
This command has no arguments or keywords.
Posted: Wed Jul 26 16:16:19 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.