09-30-2002 10:05 AM - edited 03-02-2019 01:44 AM
I read in the Cisco Security Architecture book which told me that tcp intercept aoption is vailable on router platforms from version 11.3. I have cisco 3640 with is 12.(x) Firewall feature set. But when i type in in ip tcp intercept in the global configuration i am getting unrecognised command? Is this command router specific?
Can i use cbac to act as application firewall for my webservers? If possible what are the steps that i need to do.
Thanks in Advance
09-30-2002 10:29 AM
Does your IOS has the firewall feature set ??
09-30-2002 10:54 AM
Yes, I have IOS with firewall feature set.
09-30-2002 04:57 PM
TCP intercept will help in preventing SYn flood attack (DOS attacks) for your servers running protocols, over TCP. It wont help if any server is running UDP.
Also check the naming convention for your ios for the 3600 with firewall feature set. A sample one would look like c3640-io3-mz.122-7c.bin
c3640 obviously means the ios is for a 3640.
io3 - ip subset, o3 stands for firewall with ssh support
Get back with the one that you have.
CBAC can be used as a App base FW.
For details about CBAC.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/
This link helps a lot in understanding the Cisco IOS FW feature set. ALso it helps a lot in CCNP Security certifications.....
09-30-2002 05:18 PM
Thanks a lot for your information. The ios i have is c3640-ik8o3s-mz.122-7c.bin. I need to prevent syn floods on my webserver by making the router to intercept the connections from untrusted network. Is it possible with the ios version i have?
Thanks in Advance
09-30-2002 05:32 PM
What options do you see after enter a
ip tcp ?
Do you see intercept option ???
09-30-2002 05:35 PM
In the global configuration when i type in ip tcp ? i am getting only the options that are below and no intercept option.
async-mobility
chunk-size
mss
path-mtu-discovery
queuemax
selective-ack
synwait-time
timestamp
window-size
Thanks
09-30-2002 06:03 PM
According to the Cisco "software advisor" (nee "feature navigator") at
http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl
you need an Enterprise Plus or Service Provider PT/TARP IOS image to get TCP Intercept on 3640 IOS 12.2(7c). IP Firewall images are not enough to get you what you need on a 3640. Note that you may need a CCO login to get to the software advisor page (I have not tried it without logging in).
Good luck!
Vincent C Jones
09-30-2002 06:09 PM
The IOS image name would look like this when you have a enterprise version
c3640-jk8o3s-mz.12.2-7c
Note that you have
c3640-ik8o3s-mz.12.2-7c
J for enterprise.
Also Cisco recommend not using CBAC and TCP intercept together, as both uses the same software engine, which could yield to performance issues.
Also the enterprise version of the software requires 96 mb dram and 32 mb flash.
10-01-2002 10:33 AM
Thanks a lot for your information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide