Icmp Error Inspection Engine; Ils Inspection Engine - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 13
Configuring Application Protocol Inspection
ICMP Error Inspection Engine
The FWSM supports NAT of ICMP error messages. When this feature is enabled, the FWSM creates
translation sessions for intermediate hops that send ICMP error messages, based on the NAT
configuration. The FWSM overwrites the packet with the translated IP addresses.
To configure the ICMP error inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol icmp error
When disabled, the FWSM does not create translation sessions for intermediate nodes that generate
ICMP error messages. ICMP error messages generated by the intermediate nodes between the inside host
and the FWSM reach the outside host without consuming any additional NAT resource. This is
undesirable when an outside host uses the traceroute command to trace the hops to the destination on
the inside of the FWSM. When the FWSM does not NAT the intermediate hops, all the intermediate hops
appear with the translated destination IP address.
ILS Inspection Engine
Enabled by default for TCP port 389
The Internet Locator Service (ILS) is based on the Lightweight Directory Access Protocol (LDAP) and
is LDAPv2 compliant. ILS was developed by Microsoft for use with its NetMeeting, SiteServer, and
Active Directory products.
To configure the ILS inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol ils [ port [- port ]]
The default port is 389 (TCP).
The FWSM supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer
Directory. PAT is not supported because only IP addresses, and not ports, are stored by an LDAP
database.
For search responses, when the LDAP server is located outside, NAT should be considered to allow
internal peers to communicate locally while registered to external LDAP servers. For such search
responses, translation sessions are searched first, and then NAT entries to obtain the correct address. If
both of these searches fail, then the address is not changed.
For sites using NAT exemption or identity NAT, we recommend that you disable this inspection engine
Note
for better performance.
Additional configuration might be necessary when the ILS server is located inside the FWSM border.
This requires an ACL for outside clients to access the LDAP server on the specified port, typically
TCP 389.
ILS/LDAP follows a client/server model with sessions handled over a single TCP connection.
Depending on the client's actions, several of these sessions might be created.
OL-6392-01
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Detailed Information About Inspection Engines
13-11
Advertisement
Table of Contents
Troubleshooting
