Cisco Systems ASA 5555-X Network Router User Manual

Open as PDF

of 712

10-28

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 10 Configuring Inspection of Basic Internet Protocols

IPv6 Inspection

Detailed Steps

Examples

The following example creates an inspection policy map that will drop and log all IPv6 packets with the

hop-by-hop, destination-option, routing-address, and routing type 0 headers:

policy-map type inspect ipv6 ipv6-pm

parameters

match header hop-by-hop

Command Purpose

Step 1

policy-map type inspect ipv6 name

Example:

ciscoasa(config)# policy-map type inspect

ipv6 ipv6-map

Creates an inspection policy map.

Step 2

match header header

[drop [log] | log]

Example:

ciscoasa(config-pmap)# match header ah

ciscoasa(config-pmap-c)# drop log

ciscoasa(config-pmap-c)# match header esp

ciscoasa(config-pmap-c)# drop log

Specifies the headers you want to match. By default, the packet is

logged (log); if you want to drop (and optionally also log) the

packet, enter the drop and optional log commands in match

configuration mode.

Re-enter the match command and optional drop action for each

extension you want to match:

• ah—Matches the IPv6 Authentication extension header

• count gt number—Specifies the maximum number of IPv6

extension headers, from 0 to 255

• destination-option—Matches the IPv6 destination-option

extension header

• esp—Matches the IPv6 Encapsulation Security Payload

(ESP) extension header

• fragment—Matches the IPv6 fragment extension header

• hop-by-hop—Matches the IPv6 hop-by-hop extension

header

• routing-address count gt number—Sets the maximum

number of IPv6 routing header type 0 addresses, greater than

a number between 0 and 255

• routing-type {eq | range} number—Matches the IPv6

routing header type, from 0 to 255. For a range, separate

values by a space, for example, 30 40.

Step 3

parameters

[no] verify-header {order | type}

Example:

ciscoasa(config-pmap)# parameters

ciscoasa(config-pmap-p)# no verify-header

order

ciscoasa(config-pmap-p)# no verify-header

type

Specifies IPv6 parameters. These parameters are enabled by

default. To disable them, enter the no keyword.

• [no] verify-header type—Allows only known IPv6

extension headers

• [no] verify-header order—Enforces the order of IPv6

extension headers as defined in the RFC 2460 specification

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems ASA 5555-X Network Router User Manual