Hi Matt,
It’s in the policy-map, take a look below:
policy-map type inspect LAN-TO-WAN
class type inspect ICMP
inspect
class class-default
drop
The output above is from the running configuration. Here’s how to change it:
R2(config)#policy-map type inspect LAN-TO-WAN
R2(config-pmap)#class class-default
R2(config-pmap-c)#?
Policy-map class configuration commands:
drop Drop the packet
exit Exit from class action configuration mode
no Negate or set default values of a command
pass Pass the packet
R2(config-pmap-c)#pass
The parameters can be used to check for certain DNS/TCP/UDP parameters and such. Here’s a quick example:
class-map type inspect match-all HTTP_TRAFFIC
match protocol http
!
parameter-map type inspect TCP_PARAMETERS
tcp idle-time 15
!
policy-map type inspect test
class type inspect HTTP_TRAFFIC
inspect TCP_PARAMETERS
Instead of just using “inspect”, we are also refering to a parameter-map where we specify that the TCP idle time is 15 seconds. There’s a bunch of parameters you can choose from:
R1(config-profile)#?
parameter-map commands:
alert Turn on/off alert
audit-trail Turn on/off audit trail
dns-timeout Specify timeout for DNS
exit Exit from parameter-map
icmp Config timeout values for icmp
ipv6 Config IPv6 specific parameters
max-incomplete Specify maximum number of incomplete connections before
clamping
no Negate or set default values of a command
one-minute Specify one-minute-sample watermarks for clamping
sessions Maximum number of inspect sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows
zone-mismatch Configure Zone mismatch
R1(config-profile)#tcp ?
finwait-time Specify timeout for TCP connections after a FIN
idle-time Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time Specify timeout for TCP connections after a SYN and
no further data
window-scale-enforcement Window scale option for TCP packet
Hope this helps!
Rene