Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Snydersh1_2
Snydersh1_2
Community Member
‎10-20-2006 09:55 AM
‎10-20-2006 09:55 AM

TCP Intercept

I am trying to apply TCP Intercept to my serial int on the border router. When creating the ACL for TCP-I, is it effective for In-bound traffic only or In and Out? I am also debating between Watch Mode and Intercept. I want to use Watch at first because we are not sure how some of our server load balancers are going to react to the change. Any suggestions on the modes? What about adjusting the timers. I want to change the watch timeout to 15sec and finrst-timeout to 3 secs, any advice?

!Shannon

0 Helpful
Reply
3 REPLIES
dave
dave
Community Member
‎10-22-2006 09:46 PM
‎10-22-2006 09:46 PM

Re: TCP Intercept

Greetings,

'ip tcp intercept-list ACL' is a global command. The ACL is a standard ACL, so traffic flowing through the router that matches you ACL will be "intercepted".

To watch your server 1.1.1.1, use

access-list extended ACL

permit tcp any host 1.1.1.1

Watch mode will keep an eye on sessions and send a reset if the three-way handshake doesn't complete within the specified period.

Intercept mode is far more intensive on the router and actually handles the full TCP setup, then "knits" the TCP sessions together once the 3way shake has completed.

->If you're router isn't very grunt, don't use intercept.

Regards,

Dave Seddon

Reply
Snydersh1_2
Snydersh1_2
Community Member
‎10-23-2006 04:45 AM
‎10-23-2006 04:45 AM

Re: TCP Intercept

Thank you Dave,

Regarding the ACL; If a deny statement is used in the 'ip tcp intercept-list', does it deny the TCP packet from traversing the router or does it only deny the packet from the TCP Intercept process?

Reply
pcarvill
pcarvill
Community Member
‎10-23-2006 11:37 PM
‎10-23-2006 11:37 PM

Re: TCP Intercept

A deny in the ACL referenced will only deny traffic from being watched.

ACLs can be applied in many different places. An important point to remember is that the ACL is only relevant to the process referenced. When an interface references an ACL, traffic can be blocked or permitted across the router. However, ACLs attached to processes affect traffic 'traversing' those processes, ie dialer-lists, watch-lists, QoS classes, tcp intercept.

HTH,

Paul

0 Helpful
Reply
Latest Documents
cisco packet tracer
Created by Gentsmafia on 04-25-2018 05:14 PM
0
0
0
0
 
PFRv3 channel state questions
Created by Vasilii Mikhailovskii on 04-23-2018 05:06 AM
0
0
0
0
This document gives several answers on frequently asked questions for PFRv3 channel state behavior. Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st... view more
VPN and static NAT problem
Created by Jacopo Belcredi on 04-23-2018 04:07 AM
0
0
0
0
Symptoms The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921). The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN. I couldn't connect to the hos... view more
All Documents
156
Views
7
Helpful
3
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
Glimpse of "EIGRP name mode configuration"
Created by ashirkar on 10-01-2013 02:06 AM
7
79
7
79
What happens, when router receives packet?
Created by ashirkar on 10-18-2012 03:19 AM
31
49
31
49
BLOG (No Title)
Created by Akula Jyoti Lakshmi on 08-09-2011 09:13 PM
15
43
15
43
All Blogs