Cisco 4700M Configuration Manual page 137
Application control engine appliance security
Hide thumbs
Also See for 4700M:
- Administration manual (292 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
Chapter 3
Configuring Application Protocol Inspection
For stateful ICMP, state information, as maintained for TCP or UDP flows, is
maintained for ICMP instead of performing only the ACL and NAT functions.
The maintenance of ICMP state information is required to resolve the following
problems:
•
•
•
ICMP error messages are generated by intermediate nodes situated on the network
path to a destination whenever a packet sent to that destination cannot be
forwarded. ICMP error messages may also be generated by endpoint nodes, as in
the case of port unreachable errors. ICMP error messages carry the original packet
for which the error is generated in the data part of the message. The error message
also contains the addresses of the intermediate node or endpoint node in the outer
header and the destination node in the inner header.
ICMP error fixup handles address translation of node address and destination
address to global addresses using the NAT configuration. ICMP error fixup is user
configurable. If you do not enable this feature, intermediate node or endpoint
node addresses are translated in the same way as the destination address of the
embedded packet. As a result, error messages appear as if they are originating
from the destination and the node addresses or the route to the destination are not
included.
ICMP inspection performs the following tasks for ICMP request or reply
messages:
•
•
•
•
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
OL-16202-01
ICMP reply messages without request messages
Unsolicited ICMP error messages
Unknown ICMP types
Creates a bidirectional session or connection record. The lookup key in the
forward direction is the source IP address, destination IP address, protocol,
ICMP type, ICMP identifier, and VLAN.
Verifies that the connection record contains a sequence number window that
specifies the list of sequence numbers of outstanding requests for which
replies are pending.
Verifies that the connection record has a timeout, so that the inactive
connection record can be reused for other flows and can protect the inside
network against fraudulent ICMP reply packets.
Allows reply packets only if a valid connection record exists and prevents the
reply packets from passing through an ACL again if the connection record (or
the state information) exists.
Application Protocol Inspection Overview
3-13
Advertisement
Table of Contents
