Cisco IOS Firewall Explanation
RS_MCP
Member Posts: 352
Hi,
Could someone please explain the below configuration to me and what it exactly is doing?
Thanks in advance.
t tcp reassembly queue length 512
ip inspect tcp reassembly memory limit 256
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW dns
ip inspect name FW icmp
ip inspect name FW netbios-dgm
ip inspect name FW netbios-ns
ip inspect name FW netbios-ssn
ip inspect name FW ssh
ip inspect name FW telnet alert on
ip inspect name FW https
ip inspect name FW ftp
ip inspect name FW http
ip inspect name FW parameter max-sessions 1000
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
Could someone please explain the below configuration to me and what it exactly is doing?
Thanks in advance.
t tcp reassembly queue length 512
ip inspect tcp reassembly memory limit 256
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW dns
ip inspect name FW icmp
ip inspect name FW netbios-dgm
ip inspect name FW netbios-ns
ip inspect name FW netbios-ssn
ip inspect name FW ssh
ip inspect name FW telnet alert on
ip inspect name FW https
ip inspect name FW ftp
ip inspect name FW http
ip inspect name FW parameter max-sessions 1000
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
Comments
-
shednik
Member Posts: 2,005
t tcp reassembly queue length 512 - limits the number of packets to be in the reassembly queue when packets arrive fragmented.
ip inspect tcp reassembly memory limit 256 - limits memory usage for reassembly process.
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW dns
ip inspect name FW icmp
ip inspect name FW netbios-dgm
ip inspect name FW netbios-ns
ip inspect name FW netbios-ssn
ip inspect name FW ssh
ip inspect name FW telnet alert on
ip inspect name FW https
ip inspect name FW ftp
ip inspect name FW http
Statements for specific protocols for the FW to inspect when traversing the interface it's applied to. It will add the ability to dynamically open sessions through the firewall and eliminate the need to leave certain ports open at all times.
ip inspect name FW parameter max-sessions 1000
Limits the number of sessions through the firewall
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
I will have to read a bit on those I haven't used them before and can't remember the specifics on them.
no ip domain lookup - takes away the annoying wait when you mistype a command
HTH
joe -
QHalo
Member Posts: 1,488
This is where the Cisco's site comes in real handy. You can look up the commands and they'll explain them for you.
Cisco IOS Security Command Reference - icmp idle-timeout through ip http ezvpn [Support] - Cisco Systems
HTH