TCP Intercept

Snydersh1_2 · ‎10-20-2006

I am trying to apply TCP Intercept to my serial int on the border router. When creating the ACL for TCP-I, is it effective for In-bound traffic only or In and Out? I am also debating between Watch Mode and Intercept. I want to use Watch at first because we are not sure how some of our server load balancers are going to react to the change. Any suggestions on the modes? What about adjusting the timers. I want to change the watch timeout to 15sec and finrst-timeout to 3 secs, any advice?

!Shannon

dave · ‎10-22-2006

Greetings,

'ip tcp intercept-list ACL' is a global command. The ACL is a standard ACL, so traffic flowing through the router that matches you ACL will be "intercepted".

To watch your server 1.1.1.1, use

access-list extended ACL

permit tcp any host 1.1.1.1

Watch mode will keep an eye on sessions and send a reset if the three-way handshake doesn't complete within the specified period.

Intercept mode is far more intensive on the router and actually handles the full TCP setup, then "knits" the TCP sessions together once the 3way shake has completed.

->If you're router isn't very grunt, don't use intercept.

Regards,

Dave Seddon

Snydersh1_2 · ‎10-23-2006

Thank you Dave,

Regarding the ACL; If a deny statement is used in the 'ip tcp intercept-list', does it deny the TCP packet from traversing the router or does it only deny the packet from the TCP Intercept process?

pcarvill · ‎10-23-2006

A deny in the ACL referenced will only deny traffic from being watched.

ACLs can be applied in many different places. An important point to remember is that the ACL is only relevant to the process referenced. When an interface references an ACL, traffic can be blocked or permitted across the router. However, ACLs attached to processes affect traffic 'traversing' those processes, ie dialer-lists, watch-lists, QoS classes, tcp intercept.

HTH,

Paul