Options

Cisco IOS Firewall Explanation

RS_MCPRS_MCP Member Posts: 352
in CCNP Security
Hi,

Could someone please explain the below configuration to me and what it exactly is doing?

Thanks in advance.

t tcp reassembly queue length 512
ip inspect tcp reassembly memory limit 256
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW dns
ip inspect name FW icmp
ip inspect name FW netbios-dgm
ip inspect name FW netbios-ns
ip inspect name FW netbios-ssn
ip inspect name FW ssh
ip inspect name FW telnet alert on
ip inspect name FW https
ip inspect name FW ftp
ip inspect name FW http
ip inspect name FW parameter max-sessions 1000
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
· Share on FacebookShare on Twitter

Comments

  • Options
    shednikshednik Member Posts: 2,005
    t tcp reassembly queue length 512 - limits the number of packets to be in the reassembly queue when packets arrive fragmented.


    ip inspect tcp reassembly memory limit 256 - limits memory usage for reassembly process.


    ip inspect name FW tcp router-traffic
    ip inspect name FW udp router-traffic
    ip inspect name FW dns
    ip inspect name FW icmp
    ip inspect name FW netbios-dgm
    ip inspect name FW netbios-ns
    ip inspect name FW netbios-ssn
    ip inspect name FW ssh
    ip inspect name FW telnet alert on
    ip inspect name FW https
    ip inspect name FW ftp
    ip inspect name FW http

    Statements for specific protocols for the FW to inspect when traversing the interface it's applied to. It will add the ability to dynamically open sessions through the firewall and eliminate the need to leave certain ports open at all times.

    ip inspect name FW parameter max-sessions 1000

    Limits the number of sessions through the firewall

    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3

    I will have to read a bit on those I haven't used them before and can't remember the specifics on them.

    no ip domain lookup - takes away the annoying wait when you mistype a command icon_lol.gif

    HTH

    joe
    · Share on FacebookShare on Twitter
  • Options
    QHaloQHalo Member Posts: 1,488
    This is where the Cisco's site comes in real handy. You can look up the commands and they'll explain them for you.

    Cisco IOS Security Command Reference - icmp idle-timeout through ip http ezvpn [Support] - Cisco Systems

    HTH
    http://vwilmo.wordpress.com

    · Share on FacebookShare on Twitter
Sign In or Register to comment.