1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Software
  5. 4700M
  6. Configuration manual

Cisco 4700M Configuration Manual page 227

Application control engine appliance security
Hide thumbs Also See for 4700M:
Table of Contents

Advertisement

Chapter 3
Configuring Application Protocol Inspection
The keywords, arguments, and options are as follows:
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
OL-16202-01
Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy
inspect rtsp [sec-param conn_parammap_name3]
inspect sip [sec-param conn_parammap_name4] [policy name5]
inspect skinny [sec-param conn_parammap_name5] [policy name6]
dns—Enables DNS query inspection. DNS requires an application inspection
so that DNS queries will not be subject to the generic UDP handling based on
activity timeouts. Instead, the UDP connections associated with DNS queries
and responses are torn down as soon as a reply to a DNS query has been
received. The ACE performs the reassembly of DNS packets to verify that the
packet length is less than the configured maximum length.
maximum-length bytes—(Optional) Sets the maximum length of a DNS
reply. Valid entries are from 512 to 65536 bytes. There is no default. If you
do not set a maximum-length value, the ACE does not check the size of the
reply from the DNS server.
ftp—Enables FTP inspection. The ACE inspects FTP packets, translates
addresses and ports embedded in the payload, and opens up a secondary
channel for data.
strict—(Optional) Checks for protocol RFC compliance and prevents
web browsers from sending embedded commands in FTP requests. The
strict keyword prevents an FTP client from determining valid usernames
that are supported on an FTP server. When an FTP server replies to the
USER command, the ACE intercepts the 530 reply code from the FTP
server and replaces it with the 331 reply code. Specifying an FTP
inspection policy allows selective command filtering and also prevent the
display of the FTP server system type to the FTP client. The ACE
intercepts the FTP server 215 reply code and message to the SYST
command and replaces the text following the reply code with asterisks.
sec-param conn_parammap_name1—(Optional) Specifies the name of a
previously created connection parameter map used to define parameters
for FTP inspection.
If you do not specify a Layer 7 policy map, the ACE performs a
Note
general set of Layer 3 and Layer 4 FTP protocol fixup actions.
3-103

Advertisement

Table of Contents
loading

Related Manuals for Cisco 4700M

Related Products for Cisco 4700M

This manual is also suitable for:

4700 series

Table of Contents