CCIE Pursuit Blog

October 7, 2007

ip virtual-reassembly

While configuring NAT, I will sometimes see “ip virtual-reassembly” added to the NAT interfaces’ configurations:

ip nat inside source list 99 interface Serial0/0 overload
!
access-list 99 permit 10.0.0.0 0.0.0.255
!
interface FastEthernet0/0
 description ->sw1 fa0/1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 100.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 encapsulation frame-relay
 frame-relay map ip 100.0.0.2 102 broadcast
 no frame-relay inverse-arp

IOS throws that on automatically.  Here’s what it does:

A buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.

In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time (which can be configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.

Here’s why it does it:

VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and NAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is automatically enabled on that interface.


Cisco Documentation:

ip virtual-reassembly

About these ads

2 Comments »

  1. I’ve been having a torrid time with AS path filtering using Regex in BGP. Three days and I cannot still make up an expression say 4 bit long :S
    While, your blog is becoming a great resource for VTP :P
    I hope you can come up something about AS path filtering that makes sense :S
    As i am totally stupified at the moment.

    P.S
    ANy idea how important this thing is in actual exam ?

    Comment by barooq — October 7, 2007 @ 12:10 pm | Reply

  2. Hi Barooq.

    I’ve only scratched the surface with regular expressions. In the “real world” I’ve used “^$” and not much else.

    As far as the exam: if you’re talking about the written, then I have no idea (I doubt that there would be many regex-based questions). The lab is another beast. I would fully expect some (probably difficult) regex filtering requirements. BUT…you’ll be able to use the DOC as reference so you won’t have to memorize what each character does.

    Comment by cciepursuit — October 10, 2007 @ 8:45 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 112 other followers

%d bloggers like this: