13-10
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
HTTP Inspection Engine
The HTTP inspection engine enables the system message 304001 when an inside user issues an HTTP
GET request:
%FWSM-5-304001: user source_address Accessed [JAVA] URL dest_address: url.
To configure the HTTP inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol http [
port
[-
port
]]
The default port is 80 (TCP).
ICMP Inspection Engine
The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and
UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through
the FWSM in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP
inspection engine ensures that there is only one response for each request, and that the sequence number
is correct.
To configure the ICMP inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol icmp
The ICMP payload is scanned to retrieve the five-tuple from the original packet. The ICMP inspection
engine supports both one-to-one NAT and PAT. Using the retrieved five-tuple, a lookup is performed to
determine the original address of the client. The ICMP inspection engine makes the following changes
to the ICMP packet:
• In the IP Header, the NAT IP is changed to the Client IP (Destination Address) and the IP checksum
is modified.
• In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
• In the Payload, the following changes are made:
–
Original packet NAT IP is changed to the Client IP
–
Original packet NAT port is changed to the Client Port
–
Original packet IP checksum is recalculated
To Next Page
Loading...
Need help?
General