Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter47 Configuring Inspection of Basic Internet Protocol s

IP Options Inspection

This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service

Policy Rule Wizard - Rule Actions dialog box.

Step1 Open the Add Service Policy Rule Wizard by selecting Configuration > Firewall > Service Policy

Rules > Add.

Perform the steps to complete the Service Policy, Traffic Classification Criteria, and Traffic Match -

Destination Port pages of the wizard. See the “Adding a Service Policy Rule for Through Traffic” section

on page 36-8.

The Add Service Policy Rule Wizard - Rule Actions dialog box opens.

Step2 Check the IP-Options check box.

Step3 Click Configure.

The Select IP Options Inspect Map dialog box opens.

Step4 Perform one of the following:

•Click the Use the default IP-Options inspection map radio button to use the default IP Options

map. The default map drops packets containing all the inspected IP options, namely End of Options

List (EOOL), No Operation (NOP), and Router Alert (RTRALT).

•Click the Select an IP-Options inspect map for fine control over inspection radio button to select

a defined application inspection map.

•Click Add to open the Add IP-Options Inspect Map dialog box and create a new inspection map.

Step5 (Optional) If you clicked Add to create a new inspection map, define the following values for IP Options

a. Enter a name for the inspection map.

b. Enter a description for the inspection map, up to 200 characters long.

c. From the Parameters area, select which IP options you want to pass through the ASA or clear and

then pass through the ASA:

Allow packets with the End of Options List (EOOL) option

This option, which contains just a single zero byte, appears at the end of all options to mark the end

of a list of options. This might not coincide with the end of the header according to the header length.

Allow packets with the No Operation (NOP) option

The Options field in the IP header can contain zero, one, or more options, which makes the total

length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of

bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align

the options on a 32-bit boundary.

Allow packets with the Router Alert (RTRALT) option

This option notifies transit routers to inspect the contents of the packet even when the packet is not

destined for that router. This inspection is valuable when implementing RSVP and similar protocols

require relatively complex processing from the routers along the packets delivery path.

Clear the option value from the packets

When an option is checked, the Clear the option value from the packets check box becomes

available for that option. Select the Clear the option value from the packets check box to clear the

option from the packet before allowing the packet through the ASA.

d. Click OK.

Step6 Click OK.

Contents

Cisco Systems - page 1077