Chapter 13 Configuring Application Protocol Inspection; Inspection Engine Overview; When To Use Application Protocol Inspection - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Application Protocol Inspection
This chapter describes how to use and configure application protocol inspection, which is often called a
"fixup." Inspection engines are required for services that embed IP addressing information in the user
data packet or that open secondary channels on dynamically assigned ports. These protocols require the
Firewall Services Module (FWSM) to do a deep packet inspection instead of passing the packet through
the fast path (see the
fast path). As a result, inspection engines can affect overall throughput.
Several common inspection engines are enabled on the FWSM by default, but you might need to enable
others depending on your network. This chapter includes the following sections:
•
•
•
Inspection Engine Overview
This section includes the following topics:
•
•
•
When to Use Application Protocol Inspection
When a user establishes a connection, the FWSM checks the packet against access control lists (ACLs),
creates an address translation, and creates an entry for the session in the fast path, so that further packets
can bypass time-consuming checks. However, the fast path relies on predictable port numbers and does
not perform address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the FWSM.
If you use applications like these, then you need to enable application inspection.
When you enable application inspection for a service that embeds IP addresses, the FWSM translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
OL-6392-01
"Stateful Inspection Feature" section on page 1-5
Inspection Engine Overview, page 13-1
Configuring an Inspection Engine, page 13-4
Detailed Information About Inspection Engines, page 13-5
When to Use Application Protocol Inspection, page 13-1
Inspection Limitations, page 13-2
Inspection Support, page 13-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
C H A P T E R
for more information about the
13
13-1
Advertisement
Table of Contents
Troubleshooting
