Problems With Fragmented Skinny Packets; Smtp Inspection Engine - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 13
Configuring Application Protocol Inspection
Problems with Fragmented Skinny Packets
The FWSM does not correctly handle fragmented Skinny packets. For instance, when using a voice
conferencing bridge, Skinny packets might become fragmented and are then dropped by the FWSM. This
happens because the Skinny inspection engine checks each packet and drops what appear to be bad
packets. When a single Skinny packet is fragmented into multiple TCP packets, the Skinny inspection
engine finds that the internal checksums within the Skinny packet fragments are not correct and so it
drops the packet.
SMTP Inspection Engine
Enabled by default for TCP port 25
The SMTP inspection engine enables the Mail Guard feature. This restricts mail servers to receiving the
seven minimal commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET,
NOOP, and QUIT). All other commands are rejected.
Microsoft Exchange server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP
commands such as EHLO. The FWSM converts any such commands into NOOP commands, which as
specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This
might cause Microsoft Outlook clients and Exchange servers to function unpredictably when their
connection passes through FWSM. In this case, you might want to disable the SMTP inspection engine,
although the Mail Guard feature does provide valuable protection.
To configure the SMTP inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol smtp [ port [- port ]]
The default port is 25 (TCP).
An SMTP server responds to client requests with numeric reply codes and optional human-readable
strings. The SMTP inspection engine controls and reduces the commands that the user can use as well
as the messages that the server returns. The SMTP inspection engine performs three primary tasks:
•
•
•
•
The SMTP inspection engine monitors the command and response sequence for the following anomalous
signatures:
•
•
•
OL-6392-01
Restricts SMTP requests to seven minimal commands (HELO, MAIL, RCPT, DATA, RSET, NOOP,
and QUIT).
Changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0"
characters. Carriage return (CR) and linefeed (LF) characters are ignored.
Monitors the SMTP command-response sequence.
Generates an audit trail—Audit record 108002 is generated when an invalid character embedded in
h e mail address is replaced. For more information, see RFC 821.
t
Truncated commands.
Incorrect command termination (not terminated with <CR><LR>).
The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail
addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank
space) and "<" ‚">" are only allowed if they are used to define a mail address (">" must be preceded
by "<").
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Detailed Information About Inspection Engines
13-19
Advertisement
Table of Contents
Troubleshooting
