Dns Over Udp Inspection Engine; Ftp Inspection Engine - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Detailed Information About Inspection Engines
DNS over UDP Inspection Engine
Enabled by default for UDP port 53
Domain Name System (DNS) requests require an inspection engine so that DNS queries are not subject
to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with
DNS queries and responses are torn down as soon as a reply to a DNS query has been received. The DNS
inspection engine monitors the message exchange to ensure that the ID of the DNS reply matches the ID
of the DNS query. See the
FWSM alters the DNS payload.
This functionality is different from DNS Guard. See the
for more information about DNS Guard.
To configure the maximum length of the DNS reply, enter the following command:
FWSM/contexta(config)# fixup protocol dns [maximum-length length ]
The default is 512 bytes. The port is 53 (UDP) and is not configurable.
FTP Inspection Engine
Enabled by default for TCP port 21
To configure the FTP inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol ftp
The default port is 21 (TCP).
If you disable FTP inspection engines with the no fixup protocol ftp command, outbound users can start
connections only in passive mode, and inbound users can start connections only in active mode.
The FTP inspection engine inspects the FTP sessions, and performs four tasks:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
13-6
"DNS and NAT" section on page 9-13
Prepares dynamic secondary data connection—The channels are allocated in response to a file
upload, a file download, or a directory listing event and must be pre-negotiated. The port is
negotiated through the PORT or PASV commands.
Tracks ftp command-response sequence—If the strict option is enabled, each ftp command and
response sequence is tracked for the following anomalous activity:
Truncated command—Number of commas in the PORT and PASV reply command is checked
–
to see if it is five. If it is not five, then the PORT command is assumed to be truncated and the
TCP connection is closed.
Incorrect command—Checks the ftp command to see if it ends with <CR><LF> characters, as
–
required by the RFC. If it does not, the connection is closed.
Size of RETR and STOR commands—These are checked against a fixed constant of 256. If the
–
size is greater, then an error message is logged and the connection is closed.
–
Command spoofing—The PORT command should always be sent from the client. The TCP
connection is denied if a PORT command is sent from the server.
Chapter 13
Configuring Application Protocol Inspection
for more information about how the
"Other Protection Features" section on page 1-6
[
]
port [- port ]
strict
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
