I read in the Cisco Security Architecture book which told me that tcp intercept aoption is vailable on router platforms from version 11.3. I have cisco 3640 with is 12.(x) Firewall feature set. But when i type in in ip tcp intercept in the global configuration i am getting unrecognised command? Is this command router specific?
Can i use cbac to act as application firewall for my webservers? If possible what are the steps that i need to do.
Thanks in Advance
TCP intercept will help in preventing SYn flood attack (DOS attacks) for your servers running protocols, over TCP. It wont help if any server is running UDP.
Also check the naming convention for your ios for the 3600 with firewall feature set. A sample one would look like c3640-io3-mz.122-7c.bin
c3640 obviously means the ios is for a 3640.
io3 - ip subset, o3 stands for firewall with ssh support
Get back with the one that you have.
CBAC can be used as a App base FW.
For details about CBAC.
This link helps a lot in understanding the Cisco IOS FW feature set. ALso it helps a lot in CCNP Security certifications.....
Thanks a lot for your information. The ios i have is c3640-ik8o3s-mz.122-7c.bin. I need to prevent syn floods on my webserver by making the router to intercept the connections from untrusted network. Is it possible with the ios version i have?
Thanks in Advance
In the global configuration when i type in ip tcp ? i am getting only the options that are below and no intercept option.
According to the Cisco "software advisor" (nee "feature navigator") at
you need an Enterprise Plus or Service Provider PT/TARP IOS image to get TCP Intercept on 3640 IOS 12.2(7c). IP Firewall images are not enough to get you what you need on a 3640. Note that you may need a CCO login to get to the software advisor page (I have not tried it without logging in).
Vincent C Jones
The IOS image name would look like this when you have a enterprise version
Note that you have
J for enterprise.
Also Cisco recommend not using CBAC and TCP intercept together, as both uses the same software engine, which could yield to performance issues.
Also the enterprise version of the software requires 96 mb dram and 32 mb flash.