Configuring An Inspection Engine - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring an Inspection Engine
Configuring an Inspection Engine
Disabling or modifying an inspection engine only affects connections that are initiated after the
command is processed. Disabling an inspection engine for a specific port or application does not affect
existing connections. If you want the change to take effect immediately, enter the clear xlate command
to remove all existing sessions.
To configure an inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol {
dns [maximum-length length ]
ftp
h323 {h225 | ras} [ port [- port ]] |
http [ port [- port ]] |
icmp |
icmp error |
ils [ port [- port ]] |
mgcp [ port [- port ] |
rpc [ port [- port ] |
rsh [ port [- port ] |
rtsp [ port [- port ] |
sip [ port [- port ] |
sip udp |
skinny [ port [- port ] |
smtp [ port [- port ]] |
sqlnet [ port [- port ]]}
For most applications and protocols, you can define multiple port assignments, which is useful when
multiple instances of the same service are running on different ports.
Because you can enter multiple ports (either as a range or as separate commands), if you specify a new
port, that port is added to the configuration along with previously configured ports. To remove a port,
enter the no version of the command.
See the following keywords:
•
•
•
See the
each protocol inspection engine.
By default, an inspection engine for FTP port 21 is enabled. The following example shows how to define
additional ports for FTP:
FWSM/contexta(config)# fixup protocol ftp 2100
FWSM/contexta(config)# fixup protocol ftp 4254
FWSM/contexta(config)# fixup protocol ftp 9090
After entering these commands, the FWSM listens for FTP traffic on port 21, as well as 2100, 4254, and
9090.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
13-4
[
]
strict
[ port [- port ]]
dns maximum-length length—This option sets the maximum length of a DNS reply. The default is
512 bytes. This inspection engine uses UDP port 53, and the port is not configurable.
ftp strict—This option only lets an FTP server generate the 227 command and only lets an FTP
client generate the PORT command. The 227 and PORT commands are checked to ensure they do
not appear in an error string. This limitation prevents clients from sending embedded commands in
FTP requests. Each FTP command must be acknowledged before a new command is allowed.
h323 {h225 | ras}—You can set the inspection engines for H.323 and RAS (h225 and ras)
separately.
"Detailed Information About Inspection Engines" section on page 13-5
Chapter 13
|
Configuring Application Protocol Inspection
for information about
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
