Cisco Support Community
Community Member

Ip Tcp intercept and cbac

I read in the Cisco Security Architecture book which told me that tcp intercept aoption is vailable on router platforms from version 11.3. I have cisco 3640 with is 12.(x) Firewall feature set. But when i type in in ip tcp intercept in the global configuration i am getting unrecognised command? Is this command router specific?

Can i use cbac to act as application firewall for my webservers? If possible what are the steps that i need to do.

Thanks in Advance


Re: Ip Tcp intercept and cbac

Does your IOS has the firewall feature set ??

Community Member

Re: Ip Tcp intercept and cbac

Yes, I have IOS with firewall feature set.

Re: Ip Tcp intercept and cbac

TCP intercept will help in preventing SYn flood attack (DOS attacks) for your servers running protocols, over TCP. It wont help if any server is running UDP.

Also check the naming convention for your ios for the 3600 with firewall feature set. A sample one would look like c3640-io3-mz.122-7c.bin

c3640 obviously means the ios is for a 3640.

io3 - ip subset, o3 stands for firewall with ssh support

Get back with the one that you have.

CBAC can be used as a App base FW.

For details about CBAC.

This link helps a lot in understanding the Cisco IOS FW feature set. ALso it helps a lot in CCNP Security certifications.....

Community Member

Re: Ip Tcp intercept and cbac

Thanks a lot for your information. The ios i have is c3640-ik8o3s-mz.122-7c.bin. I need to prevent syn floods on my webserver by making the router to intercept the connections from untrusted network. Is it possible with the ios version i have?

Thanks in Advance

Re: Ip Tcp intercept and cbac

What options do you see after enter a

ip tcp ?

Do you see intercept option ???

Community Member

Re: Ip Tcp intercept and cbac

In the global configuration when i type in ip tcp ? i am getting only the options that are below and no intercept option.












Re: Ip Tcp intercept and cbac

According to the Cisco "software advisor" (nee "feature navigator") at

you need an Enterprise Plus or Service Provider PT/TARP IOS image to get TCP Intercept on 3640 IOS 12.2(7c). IP Firewall images are not enough to get you what you need on a 3640. Note that you may need a CCO login to get to the software advisor page (I have not tried it without logging in).

Good luck!

Vincent C Jones

Re: Ip Tcp intercept and cbac

The IOS image name would look like this when you have a enterprise version


Note that you have


J for enterprise.

Also Cisco recommend not using CBAC and TCP intercept together, as both uses the same software engine, which could yield to performance issues.

Also the enterprise version of the software requires 96 mb dram and 32 mb flash.

Community Member

Re: Ip Tcp intercept and cbac

Thanks a lot for your information.

CreatePlease to create content