Inspection Limitations - Cisco 7604 Configuration Manual

Chapter 22 Applying Application Layer Protocol Inspection
Figure 22-1
Client
In Figure
1.
2.
3.
4.
5.
6.
7.
The default configuration of the FWSM includes a set of application inspection entries that associate
supported protocols with specific TCP or UDP port numbers and that identify any special handling
required.

Inspection Limitations

See the following limitations for application protocol inspection:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
How Inspection Engines Work
2
FWSM
1
7
3
XLATE
CONN
22-2, operations are numbered in the order they occur, and are described as follows:
A TCP SYN packet arrives at the FWSM to establish a new connection.
The FWSM checks the access list database to determine if the connection is permitted.
The FWSM creates a new entry in the connection database (XLATE and CONN tables).
The FWSM checks the Inspections database to determine if the connection requires
application-level inspection.
After the application inspection engine completes any required operations for the packet, the FWSM
forwards the packet to the destination system.
The destination system responds to the initial request.
The FWSM receives the reply packet, looks up the connection in the connection database, and
forwards the packet because it belongs to an established session.
State information for multimedia sessions that require inspection are not passed over the state link
for stateful failover. The exception is GTP, which is replicated over the state link.
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. See "Default Inspection Policy"
ACL
6
5
Server
4
Inspection
for more information about NAT support.
Inspection Engine Overview
22-3