Firewall Commands - sysopt
Change firewall system options. (Configuration mode.)
[no] sysopt connection permit-pptp
[no] sysopt connection permit-l2tp
[no] sysopt connection permit-ipsec
[no] sysopt connection tcpmss bytes
[no] sysopt connection timewait
[no] sysopt ipsec pl-compatible
[no] sysopt nodnsalias inbound
[no] sysopt nodnsalias outbound
[no] sysopt noproxyarp if_name
[no] sysopt security fragguard
[no] sysopt radius ignore-secret
[no] sysopt route dnat
[no] sysopt uauth allow-http-cache
clear sysopt
show sysopt
Syntax
connection permit-ipsec Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections. connection permit-l2tp Implicitly permit any packet that came from an L2TP/IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for L2TP/IPSec connections. connection permit-pptp Allow PPTP traffic to bypass conduit or access-list command statement checking. Force TCP proxy connection to have a maximum segment size no greater than bytes. The default value for bytes is 1380. connection timewait Force each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence. ipsec pl-compatible Enable IPSec packets to bypass the firewall unit's NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface. nodnsalias inbound Disable inbound embedded DNS A record fixups according to aliases that apply to the A record address. nodnsalias outbound Disable outbound DNS A record replies. noproxyarp if_name Disable proxy-arps on a firewall interface. route dnat Specify that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop. security fragguard Enable the IP Frag Guard feature. radius ignore-secret Ignore authenticator key to avoid retransmit caveat. uauth allow-http-cache Allows the web browser to supply a username and password from its cache for AAA authentication.
Usage Guidelines
The sysopt commands let you tune various firewall security and configuration features. In addition, you can use this command to disable the IP Frag Guard feature.
There is no need to enter the sysopt connection permit-12tp command if the sysopt connection permit-ipsec command is present.
sysopt connection permit-ipsec
Permit IPSec traffic to pass through the firewall without a check of conduit or access-list command statements.
An access-list or conduit command statement must be available for inbound sessions.
By default, any inbound session must be explicitly permitted by a conduit or access-list command statement. With IPSec protected traffic, the secondary access list check could be redundant. To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command.
If both the sysopt ipsec pl-compatible command and the sysopt connection permit- ipsec command are used within the configuration, the sysopt ipsec pl-compatible command will take precedence.
If the sysopt connection permit-ipsec command is not configured, explicitly configure an access-list command statement to permit IPSec traffic to traverse the PIX Firewall.
The no sysopt connection permit-ipsec command disables the option.
sysopt connection permit-pptp
Let PPTP traffic bypass conduit and access-list command statement checking. Use the vpdn command to implement PPTP.
In the following example, a PPTP client authenticates using mschap, negotiates mppe encryption, receives the dns and wins server addresses, and Telnets to the host 192.168.0.2 directly through the nat 0 command.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my- aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication aaa my- aaa-server-group vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip 10.1.1.0 255.255.255.0 host 192.168.0.2 access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.2.2.99 access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.2.2.100 nat (inside) 0 access-list no nat sysopt connection permit-pptp
sysopt connection permit-ipsec
The following is a minimal IPSec configuration to enable a session to be connected from host 172.21.100.123 to host 172.21.200.67 across an IPSec tunnel that terminates from peer 209.165.201.1 to peer 201.165.200.225.
With sysopt connection permit-ipsec and access-list command statements:
On peer 209.165.201.1:
static 172.21.100.123 172.21.100.123 access-list 10 permit ip host 172.21.200.67 host 172.21.100.123 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.200.1 crypto map mymap interface outsideOn peer 201.165.200.225:
static 172.21.200.67 172.21.200.67 access-list 10 permit ip host 172.21.100.123 host 172.21.200.67 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.100.1 crypto map mymap interface outsideWith sysopt connection permit-ipsec and without conduit command statements:
On peer 209.165.201.1:
static 172.21.100.123 172.21.100.123 access-list 10 permit ip host 172.21.200.67 host 172.21.100.123 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.200.1 crypto map mymap interface outside sysopt connection permit-ipsecOn peer 201.165.200.225:
static 172.21.200.67 172.21.200.67 access-list 10 permit ip host 172.21.100.123 host 172.21.200.67 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.100.1 crypto map mymap interface outside sysopt connection permit-ipsec
sysopt connection permit-l2tp
This command allows L2TP traffic to bypass conduit/access-list checking. Because L2TP traffic can only come from IPSec, the sysopt connection permit-ipsec command will allow L2TP traffic to pass as well.
sysopt ipsec pl-compatible
The sysopt ipsec pl-compatible command enables the IPSec feature to simulate the Private Link feature supported in firewall version 4. The Private Link feature provides encrypted tunnels to be established across an unsecured network between Private-Link equipped firewall units. The sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features and enables incoming IPSec packets to terminate on the sending interface.
The sysopt ipsec pl-compatible command is not available on a PIX 501.
The no sysopt ipsec pl-compatible command disables the option, which is off by default.
When using the sysopt ipsec pl-compatible command, all firewall features, such as access list control, stateful inspection, and user authentication, are bypassed for IPSec packets only.
If both the sysopt ipsec pl-compatible command and the sysopt connection permit- ipsec command are used within the configuration, the sysopt ipsec pl-compatible command will take precedence.
If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement.
sysopt connection tcpmss
The sysopt connection tcpmss command forces proxy TCP connections to have a maximum segment size no greater than bytes. This command requests that each side not send a packet of a size greater than bytes at any time during the initial TCP connection establishment.
If the client sending the proxy TCP connection does not announce a maximum segment size, firewall assumes that the RFC 793 default value of 536 bytes is in effect. If the client announces a maximum segment size larger than the number of bytes, firewall reduces the maximum segment size to bytes.
The bytes value can be a minimum of 28 and any maximum number. You can disable this feature by setting bytes to zero. By default, the firewall sets 1380 bytes as the sysopt connection tcpmss even though this command does not appear in the default configuration. The calculation for setting the TCP maximum segment size to 1380 bytes is as follows.
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes1500 bytes is the MTU for Ethernet connections. We recommend that the default value of 1380 bytes be used for Ethernet and mixed Ethernet and Token Ring environments. If the firewall has all Token Ring interfaces, you can set bytes to 4056. However, if even one link along the path through the network is not a Token Ring, setting bytes to such a high value may cause poor throughput. In its 1380 byte default value, this command increases throughput of the sysopt security fragguard command.
The TCP maximum segment size is the maximum size that an end host can inject into the network at one time (see RFC 793 for more information on the TCP protocol). The sysopt connection tcpmss command is recommended in a network environment being attacked being with overly aggressive TCP or HTTP stack with a faulty path MTU value that is degrading the performance of the firewall IP Frag Guard feature. Environments where one or more end hosts reside on a Token Ring network are especially susceptible to this faulty behavior.
Although, not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value.
sysopt connection timewait
The sysopt connection timewait command is necessary for end host applications whose default TCP terminating sequence is a simultaneous close instead of the normal shutdown sequence (see RFC 793). In a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence.
The default behavior of the firewall is to track the normal shutdown sequence and release the connection after two FINs and the ACKnowledgment of the last FIN segment. This quick release heuristic enables the firewall to sustain a high connection rate.
However with a simultaneous close, the quick release forces one side of the connection to linger in the CLOSING state (see RFC 793). Many sockets in the CLOSING state can degrade the performance of an end host. For instance, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Old versions of HP/UX are also susceptible to this behavior. Enabling the sysopt connection timewait command enables a quiet time window for the abnormal close down sequence to complete.
The no sysopt connection timewait command disables the option, which is off by default.
Use of the sysopt connection timewait command may impact firewall performance especially with low memory configuration and highly dynamic traffic pattern such as HTTP.
sysopt nodnsalias
The sysopt nodnsalias inbound disables inbound embedded DNS A record fixups according to aliases that apply to the A record address. sysopt nodnsalias outbound affects outbound replies.
This command remedies the case when a DNS server is on the outside and users on the inside need to access a server on a perimeter interface. In the past, you would use the alias command to permit DNS responses to resolve correctly through the firewall, but formerly you had to reverse the parameters for the local IP address and foreign IP address.
For example, you would normally code the alias command as follows:
alias (inside) 192.168.1.4 209.165.201.11 255.255.255.255Inside host 192.168.1.5 needs access to www.example.com, which resolves at an outside ISP DNS to 209.165.201.11. The firewall fixes this DNS response sending the host a response of 192.168.1.4. The host uses its gateway (the firewall) to go to 192.168.1.4, which the firewall now aliases back to the 209.165.201.11. Because this is actually 192.168.1.4, a server on the perimeter interface of the firewall, the packet is dropped because the firewall sent the packet to the outside interface, which is the incorrect interface.
The sysopt nodns alias inbound command has the same effect as reversing the alias command statement parameters as follows:
alias (inside) 209.165.201.11 192.168.1.4 255.255.255.255This works properly because everything happens in reverse. The DNS is now modified to 209.165.201.11 and the host inside uses its gateway (the firewall) to get there, the firewall aliases this back to 192.168.1.4 and routes it out the perimeter interface to the correct host and the TCP connection is established.
sysopt noproxyarp
The sysopt noproxyarp command allows you to disable proxy-arps on a firewall interface.
sysopt radius ignore-secret
Some commonly used RADIUS servers, such as Livingston version 1.16, have a usage caveat where they do not include the key in the authenticator hash in the accounting acknowledgment response. This can cause the firewall to continually retransmit the accounting request. Use the sysopt radius ignore-secret command to cause the firewall to ignore the key in the authenticator of accounting acknowledgments thus avoiding the retransmit problem. (The key described here is the key you set with the aaa-server command.)
sysopt route dnat
The sysopt route dnat command specifies that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop.
sysopt security fragguard
The sysopt security fragguard command enables the IP Frag Guard feature. This feature is disabled by default. This feature enforces two addition security checks in addition to the security checks recommended by RFC 1858 against the many IP fragment style attacks: teardrop, land, and so on. First, each non-initial IP fragments is required to be associated with an already seen valid initial IP fragments. Second, IP fragments are rated to 100 full IP fragmented packets per second to each internal host.
The IP Frag Guard feature operates on all interfaces in the firewall and cannot be selectively enabled or disabled by interface.
The firewall uses the security fragguard command to enforce the security policy determined by a access-list permit or access-list deny command to permit or deny packets through the firewall.
Use of the sysopt security fragguard command breaks normal IP fragmentation conventions. However, not using this command exposes firewall to the possibility of IP fragmentation attacks. We recommend that packet fragmentation not be permitted on the network if at all possible.
If firewall is used as a tunnel for FDDI packets between routers, disable the security fragguard command feature. Because Linux sends IP fragments in reverse order, fragmented Linux packets will not pass through the firewall with the sysopt security fragguard command enabled.
The show sysopt command lists the sysopt commands in the configuration. The clear sysopt command resets the sysopt command to default settings. The no sysopt security fragguard command disables the IP Frag Guard feature.
The following example disables IP Frag Guard and then lists the current command options:
no sysopt security fragguard show sysopt sysopt security fragguard no sysopt connection tcpmss no sysopt connection timewait