Default Inspection Policy - Cisco 7604 Configuration Manual

Inspection Engine Overview
•
•
•

Default Inspection Policy

By default, the configuration includes a policy that matches all default application inspection traffic and
applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic
includes traffic to the default ports for each protocol. You can only apply one global policy, so if you
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table 22-1
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table 22-1 Supported Application Inspection Engines
1
Application Default Port NAT Limitations
CTIQBE TCP/2748
DCERPC TCP/135
DNS over UDP UDP/53
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-4
If you configure PAT for traffic that is being inspected, the FWSM performs application inspection
on the translated port numbers rather than the real port numbers.
Service policies applying inspection to traffic with translated port numbers should use class maps
that identify traffic using the translated port numbers. For example, if you implement PAT to
translate ports 2727 and 2427 to port 1400, you should configure MGCP inspection to match traffic
sent to port 1400 rather than the well known ports 2427 and 2727.
When application inspection is enabled on the FWSM for TCP flows (especially for application
inspection of protocols like VoIP), the TCP sender segments the TCP packets based on the maximum
segment size (MSS) advertised by the TCP receiver. The FWSM reassembles the TCP segments,
performs the inspection, and transmits the packets to the TCP receiver based on its interface
maximum transmission unit (MTU) and not the MSS advertised by the TCP receiver.
For example, two SIP endpoints (Polycomm video conferencing units) advertise an MSS of 536
bytes. The FWSM proxies this connection and one video unit sends a H.245 setup message that is
761 bytes segmented into three packets. The FWSM reassembles these three segments and transmits
them to the endpoint as one single 761 data byte packet instead of honoring the 536 byte MSS and
resegmenting the message as appropriate.
To account for this limitation, you must perform the following actions on the FWSM:
Increase the MSS on the TCP receiver.
–
Lower the MTU on the FWSM interface.
–
Only if possible, disable the advanced protocol inspection.
–
When application inspection is enabled for a protocol and another application utilizes the same port
as that inspected application protocol, the FWSM can exhibit unpredictable behavior (including
packet loss) when inspecting that application protocol. When this situation occurs, you should
disable the inspection engine for that application protocol.
lists all inspections supported, the default ports used in the default class map, and the
—
—
Only forward NAT.
No NAT support is available for
name resolution through
WINS.
Chapter 22 Applying Application Layer Protocol Inspection
2
Standards Comments
— —
— Supports the map and lookup operations
of the EPM for clients.
RFC 1123 No PTR records are changed.
Default maximum packet length is 512
bytes.
OL-20748-01