Полезная информация

cc/td/doc/product/software/ios120/12cgcr/secur_r
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Context-Based  Access  Control Commands

Context-Based  Access  Control Commands

This chapter describes Context-based Access Control (CBAC) commands.

CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information and can be used for intranets, extranets and internets. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network  layer, or at most, the transport  layer. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).

Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CBAC.

For configuration information, refer to the chapter "Configuring Context-Based Access Control" in the Security Configuration Guide.

ip inspect audit trail

To turn on CBAC audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit trail global configuration command. Use the no form of this command to turn off CBAC audit trail messages.

ip inspect audit trail
no
ip inspect audit trail

Syntax Description

This command has no arguments or keywords.

Default

Audit trail messages are not displayed.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

Example

The following example turns on CBAC audit trail messages:

ip inspect audit trail

Afterwards, audit trail messages such as the following are displayed.

%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- 
responder (192.168.129.11:25) sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- 
responder (192.168.129.11:21) sent 325 bytes

These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address.

ip inspect dns-timeout

To specify the DNS idle timeout (the length of time a DNS name lookup session will still be managed after no activity), use the ip inspect dns-timeout global configuration command. Use the no form of this command to reset the timeout to the default of 5 seconds.

ip inspect dns-timeout seconds
no ip inspect dns-timeout

Syntax Description

seconds

Specifies the length of time a DNS name lookup session will still be managed after no activity.

Default

5 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

When the software detects a valid UDP packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session.

If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session.

The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC.

The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command.

Examples

The following example sets the DNS idle timeout to 30 seconds:

ip inspect dns-timeout 30

The following example sets the DNS idle timeout back to the default (5 seconds):

no ip inspect dns-timeout

ip inspect (interface configuration)

To apply a set of inspection rules to an interface, use the ip inspect interface configuration command. Use the no form of this command to remove the set of rules from the interface.

ip inspect inspection-name {in | out}
no ip inspect inspection-name {in | out}

Syntax Description

inspection-name

Identifies which set of inspection rules to apply.

in

Applies the inspection rules to inbound traffic.

out

Applies the inspection rules to outbound traffic.

Default

If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

Use this command to apply a set of inspection rules to an interface.

Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.

If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.

If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.

Example

The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session.

interface serial0
  ip inspect outboundrules out

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect name (global configuration)

ip inspect max-incomplete high

To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high global configuration command. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.

ip inspect max-incomplete high number
no ip inspect max-incomplete high

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions.

Default

500 half-open sessions

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Example

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:

ip inspect max-incomplete high 900
ip inspect max-incomplete low 800

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect max-incomplete low
ip inspect one-minute high
ip inspect one-minute low
ip inspect tcp max-incomplete host

ip inspect max-incomplete low

To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low global configuration command. Use the no form of this command to reset the threshold to the default of 400 half-open sessions.

ip inspect max-incomplete low number
no ip inspect max-incomplete low

Syntax Description

number

Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.

Default

400 half-open sessions

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Example

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:

ip inspect max-incomplete high 900
ip inspect max-incomplete low 800

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect max-incomplete high
ip inspect one-minute high
ip inspect one-minute low
ip inspect tcp max-incomplete host

ip inspect name (global configuration)

To define a set of inspection rules, use the ip inspect name global configuration command. Use the no form of this command to remove the inspection rule for a protocol or to remove the entire set of inspection rules.

ip inspect name inspection-name protocol [timeout seconds]
or
ip inspect name inspection-name http [java-list access-list] [timeout seconds]
                 (Java protocol only)
or
ip inspect name inspection-name rpc program-number number [wait-time minutes]                  [timeout  seconds] (RPC protocol only)

no ip inspect name inspection-name protocol (removes the inspection rule for a protocol)
no ip inspect name (removes the entire set of inspection rules)

Syntax Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

protocol

A protocol keyword listed in Table 19.

timeout seconds

(Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout.

java-list access-list

(Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists.

rpc program-number number

Specifies the program number to permit. This keyword is available only for the RPC protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.


Table 19: Protocol Keywords
Protocol protocol Keyword

Transport-Layer Protocols

TCP

tcp

UDP

udp

Application-Layer Protocols

CU-SeeMe

cuseeme

FTP

ftp

Java (see the section "Java Inspection," following)

http

H.323 (see the section "H.323 Inspection," following)

h323

UNIX R commands (rlogin, rexec, rsh)

rcmd

RealAudio

realaudio

RPC (see the section "RPC Inspection," following)

rpc

SMTP (see the section "SMTP Inspection," following)

smtp

SQL*Net

sqlnet

StreamWorks

streamworks

TFTP

tftp

VDOLive

vdolive

Default

No inspection rules are defined until you define them using this command.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

To define a set of inspection rules, enter this command for each protocol that you want Context-based Access Control (CBAC) to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name. Define either one or two sets of rules per interface---you can define one set to examine both inbound and outbound traffic; or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP or UDP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name.

In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.

TCP and UDP Inspection

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.

With TCP and UDP inspection, packets entering the network must exactly match the corresponding packet that previously exited the network: the entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface. Also, all TCP packets with a sequence number outside of the window are dropped.

Application-Layer Protocol Inspection

In general, if you configure inspection for an application-layer protocol, packets for that protocol will be permitted to exit the firewall, and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state and to determine if that packet belongs to a valid existing session.

Java, H.323, RPC, and SMTP, and SQL*Net inspection have additional information, described in the next three sections.

Java Inspection

With Java, you must protect against the risk of users inadvertently downloading destructive applets into your network. To protect against this risk, you could require all users to disable Java in their browser. If this is not an agreeable solution, you can use CBAC to filter Java applets at the firewall, which allows users to download only applets residing within the firewall and trusted applets from outside the firewall.

Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except for sites specifically designated as "hostile."


Note Before you configure Java inspection, you must configure a standard access list that defines "friendly" and "hostile" external sites. You configure this access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure an access list, but use a "placeholder" access list in the ip inspect name inspection-name http command, all Java applets will be blocked.
Caution CBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.
H.323 Inspection

If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification.

RPC Inspection

RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program  number. If a program  number is specified, all traffic for that program number will be permitted. If a program  number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.

SMTP Inspection

SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out. An illegal command is any command except for the following legal commands:

Use of the timeout Keyword

If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface that the set of inspection rules is applied to.

If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.

If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.

Example

The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted.

ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect (interface configuration)

ip inspect one-minute high

To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high global configuration command. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.

ip inspect one-minute high number
no ip inspect one-minute high

Syntax Description

number

Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions.

Default

500 half-open sessions

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.

When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Example

The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:

ip inspect one-minute high 1000
ip inspect one-minute low 950

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect one-minute low
ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect tcp max-incomplete host

ip inspect one-minute low

To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low global configuration command. Use the no form of this command to reset the threshold to the default of 400 half-open sessions.

ip inspect one-minute low number
no ip inspect one-minute low

Syntax Description

number

Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions.

Default

400 half-open sessions

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.

When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Example

The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:

ip inspect one-minute high 1000
ip inspect one-minute low 950

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect one-minute high
ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect tcp max-incomplete host

ip inspect tcp finwait-time

To define how long a TCP session will still be managed after the firewall detects a FIN-exchange, use the ip inspect tcp finwait-time global configuration command. Use the no form of this command to reset the timeout to the default of 5 seconds.

ip inspect tcp finwait-time seconds
no ip inspect tcp finwait-time

Syntax Description

seconds

Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange.

Default

5 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

When the software detects a valid TCP packet that is the first in a session, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.

Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close.

The global value specified for this timeout applies to all TCP sessions inspected by CBAC.

The timeout set with this command is referred to as the "finwait" timeout.


Note If the -n option is used with rsh, and the commands being executed do not produce output before the "finwait" timeout, the session will be dropped and no further output will be seen.

Examples

The following example changes the "finwait" timeout to 10 seconds:

ip inspect tcp finwait-time 10

The following example changes the "finwait" timeout back to the default (5 seconds):

no ip inspect tcp finwait-time

ip inspect tcp idle-time

To specify the TCP idle timeout (the length of time a TCP session will still be managed after no activity), use the ip inspect tcp idle-time global configuration command. Use the no form of this command to reset the timeout to the default of 3600 seconds (1 hour).

ip inspect tcp idle-time seconds
no ip inspect tcp idle-time

Syntax Description

seconds

Specifies the length of time a TCP session will still be managed after no activity.

Default

3600 seconds (1 hour)

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

When the software detects a valid TCP packet that is the first in a session, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.

If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session.

The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command.


Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the TCP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value.

Examples

The following example sets the global TCP idle timeout to 1800 seconds (30 minutes):

ip inspect tcp idle-time 1800

The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour):

no ip inspect tcp idle-time

ip inspect tcp max-incomplete host

To specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention, use the ip inspect tcp max-incomplete host global configuration command. Use the no form of this command to reset the threshold and blocking time to the default values.

ip inspect tcp max-incomplete host number block-time seconds
no ip inspect tcp max-incomplete host

Syntax Description

number

Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250.

seconds

Specifies how long the software will continue to delete new connection requests to the host.

Default

50 half-open sessions and 0 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state.

Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:

The software will delete the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
The software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

The software also sends syslog messages whenever the max-incomplete host number is exceeded, and when blocking of connection initiations to a host starts or ends.

The global values specified for the threshold and blocking time apply to all TCP connections inspected by CBAC.

Examples

The following example changes the max-incomplete host number to 40 half-open sessions, and changes the block-time timeout to 2 minutes (120 seconds):

ip inspect tcp max-incomplete host 40 block-time 120

The following example resets the defaults (50 half-open sessions and 0 seconds):

no ip inspect tcp max-incomplete host

Related Commands

You can use the master indexes or search online to find documentation of related commands.

ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect one-minute high
ip inspect one-minute low

ip inspect tcp synwait-time

To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time global configuration command. Use the no form of this command to reset the timeout to the default of 30 seconds.

ip inspect tcp synwait-time seconds
no ip inspect tcp synwait-time

Syntax Description

seconds

Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.

Default

30 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

Use this command to define how long software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session's first SYN bit is detected.

The global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control (CBAC).

Examples

The following example changes the "synwait" timeout to 20 seconds:

ip inspect tcp synwait-time 20

The following example changes the "synwait" timeout back to the default (30 seconds):

no ip inspect tcp synwait-time

ip inspect udp idle-time

To specify the UDP idle timeout (the length of time a UDP "session" will still be managed after no activity), use the ip inspect udp idle-time global configuration command. Use the no form of this command to reset the timeout to the default of 30 seconds.

ip inspect udp idle-time seconds
no ip inspect udp idle-time

Syntax Description

seconds

Specifies the length of time a UDP "session" will still be managed after no activity.

Default

30 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source/destination addresses) and if the packet was detected soon after another similar UDP packet.

If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command.


Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the UDP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value.

Examples

The following example sets the global UDP idle timeout to 120 seconds (2 minutes):

ip inspect udp idle-time 120

The following example sets the global UDP idle timeout back to the default of 30 seconds:

no ip inspect udp idle-time

no ip inspect

To turn off Context-based Access Control (CBAC) completely at a firewall, use the no ip inspect global configuration command.

no ip inspect

Syntax Description

This command has no arguments or keywords.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

Turn off CBAC with the no ip inspect global configuration command.


Note The no in inspect command removes all CBAC configuration entries and resets all CBAC global timeouts and thresholds to the defaults. All existing sessions are deleted and their associated access lists removed.

Example

The following example turns off CBAC at a firewall:

no ip inspect

show ip inspect

To view CBAC configuration and session information, use the show ip inspect privileged EXEC command.

show ip inspect {name inspection-name | config | interfaces | session [detail] | all}

Syntax Description

name inspection-name

Shows the configured inspection rule with the name inspection-name.

config

Shows the complete CBAC inspection configuration.

interfaces

Shows interface configuration with respect to applied inspection rules and access lists.

session [detail]

Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown.

all

Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

Sample Display

The following is sample output for show ip inspect name myinspectionrule, where the inspection rule "myinspectionrule" is configured:

Inspection Rule Configuration
 Inspection name myinspectionrule
    tcp timeout 3600
    udp timeout 30
    ftp timeout 3600

The output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.

The following is sample output for show ip inspect config:

Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name myinspectionrule
    tcp timeout 3600
    udp timeout 30
    ftp timeout 3600

The output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.

The following is sample output for show ip inspect interfaces:

Interface Configuration
 Interface Ethernet0
  Inbound inspection rule is myinspectionrule
    tcp timeout 3600
    udp timeout 30
    ftp timeout 3600
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

The following is sample output for show ip inspect sessions:

Established Sessions
 Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN
 Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN

The output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.

The following is sample output for show ip inspect sessions detail:

Established Sessions
 Session 25A335C (40.0.0.1:20)=>(30.0.0.1:46069) ftp-data SIS_OPEN
   Created 00:00:07, Last heard 00:00:00
   Bytes sent (initiator:responder) [0:3416064] acl created 1
   Inbound access-list 111 applied to interface Ethernet1
 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN
   Created 00:01:34, Last heard 00:00:07
   Bytes sent (initiator:responder) [196:616] acl created 1
   Inbound access-list 111 applied to interface Ethernet1

The output includes times, number of bytes sent, and which access list is applied.

The following is sample output for show ip inspect all:

Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name all
    tcp timeout 3600
    udp timeout 30
    ftp timeout 3600
Interface Configuration
 Interface Ethernet0
  Inbound inspection rule is all
    tcp timeout 3600
    udp timeout 30
    ftp timeout 3600
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set
 Established Sessions
 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN
 Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.