-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
inspect ctiqbe through inspect xdmcp Commands
inspect ctiqbe through inspect xdmcp Commands
inspect ctiqbe
To enable CTIQBE protocol inspection, use the inspect ctiqbe command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To disable inspection, use the no form of this command.
inspect ctiqbe
no inspect ctiqbe
Defaults
This command is disabled by default.Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced in 7.0(1). It replaces the previously existing fixup command, which is now deprecated.
Usage Guidelines
The inspect ctiqbe command enables CTIQBE protocol inspection, which supports NAT, PAT, and bidirectional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the security appliance.
The Telephony Application Programming Interface (TAPI) and Java Telephony Application Programming Interface (JTAPI) are used by many Cisco VoIP applications. Computer Telephony Interface Quick Buffer Encoding (CTIQBE) is used by Cisco TAPI Service Provider (TSP) to communicate with Cisco CallManager.
The following summarizes limitations that apply when using CTIQBE application inspection:
•
•
•
•
The following summarizes special considerations when using CTIQBE application inspection in specific scenarios:
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect ctiqbe command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect ctiqbe command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect ctiqbe command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the CTIQBE inspection engine as shown in the following example, which creates a class map to match CTIQBE traffic on the default port (2748). The service policy is then applied to the outside interface.
hostname(config)# class-map ctiqbe-porthostname(config-cmap)# match port tcp eq 2748hostname(config-cmap)# exithostname(config)# policy-map ctiqbe_policyhostname(config-pmap)# class ctiqbe-porthostname(config-pmap-c)# inspect ctiqbehostname(config-pmap-c)# exithostname(config)# service-policy ctiqbe_policy interface outsideTo enable CTIQBE inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect dns
To enable DNS inspection (if it has been previously disabled), use the inspect dns command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. Use the inspect dns command to specify the maximum DNS packet length. To disable DNS inspection, use the no form of this command.
inspect dns [maximum-length max_pkt_length]
no inspect dns [maximum-length max_pkt_length]
Syntax Description
Defaults
This command is enabled by default.
The default maximum-length for the DNS packet size is 512.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
DNS guard tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which it is the default, the security appliance performs the following additional tasks:
•
Note
•
Note
•
•
•
A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, if you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.
How DNS Rewrite Works
When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the A-record is not translated.
DNS rewrite performs two functions:
•
•
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or nat commands. For details about the syntax and function of these commands, refer to the appropriate command page.
Examples
The following example changes the maximum DNS packet length to 1500 bytes. Although DNS inspection is enabled by default, you still need to create a traffic map to identify DNS traffic and then apply the policy map to the appropriate interface.
hostname(config)# class-map dns-porthostname(config-cmap)# match port udp eq 53hostname(config-cmap)# exithostname(config)# policy-map sample_policyhostname(config-pmap)# class dns-porthostname(config-pmap-c)# inspect dns maximum-length 1500hostname(config-pmap-c)# exithostname(config)# service-policy sample_policy interface outsideTo change the maximum DNS packet length for all interfaces, use the global parameter in place of interface outside.
The following example shows how to disable DNS:
hostname(config)# policy-map sample_policyhostname(config-pmap)# class dns-porthostname(config-pmap-c)# no inspect dnshostname(config-pmap-c)# exithostname(config)# service-policy sample_policy interface outsideRelated Commands
inspect esmtp
To enable SMTP application inspection or to change the ports to which the security appliance listens, use the inspect esmtp command in class configuration mode. The class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect esmtp
no inspect esmtp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the security appliance and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for eight extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the security appliance supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, STARTLS, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
If you enter the inspect smtp command, the security appliance automatically converts the command into inspect esmtp, which is the configuration that will be shown if you enter the show running-config command.
The inspect esmtp command changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
•
•
•
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
•
•
•
•
•
•
•
Examples
You enable the SMTP inspection engine as shown in the following example, which creates a class map to match SMTP traffic on the default port (25). The service policy is then applied to the outside interface.
hostname(config)# class-map smtp-porthostname(config-cmap)# match port tcp eq 25hostname(config-cmap)# exithostname(config)# policy-map smtp_policyhostname(config-pmap)# class smtp-porthostname(config-pmap-c)# inspect esmtphostname(config-pmap-c)# exithostname(config)# service-policy smtp_policy interface outsideTo enable SMTP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ftp
To configure the port for FTP inspection or to enable enhanced inspection, use the inspect ftp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ftp [strict [map_name]]
no inspect ftp [strict [map_name]]
Syntax Description
map_name
The name of the FTP map.
strict
(Optional) Enables enhanced inspection of FTP traffic and forces compliance with RFC standards.
Caution
Defaults
The security appliance listens to port 21 for FTP by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated. The map_name option was added.
Usage Guidelines
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
•
•
•
FTP application inspection prepares secondary channels for FTP data transfer. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be pre-negotiated. The port is negotiated through the PORT or PASV commands.
Note
Using the strict Option
The strict option prevents web browsers from sending embedded commands in FTP requests. Each ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
Caution
If the strict option is enabled, each ftp command and response sequence is tracked for the following anomalous activity:
•
•
•
•
•
•
•
•
•
Note
FTP Log Messages
FTP application inspection generates the following log messages:
•
•
•
•
•
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.
Examples
The following example identifies FTP traffic, defines an FTP map, defines a policy, enables strict FTP inspection, and applies the policy to the outside interface:
hostname(config)# class-map ftp-porthostname(config-cmap)# match port tcp eq 21hostname(config-cmap)# exithostname(config)# ftp-map inbound_ftphostname(config-inbound_ftp)# request-command deny put stou appehostname(config-ftp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class ftp-porthostname(config-pmap-c)# inspect ftp strict inbound_ftphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideTo enable strict FTP application inspection for all interfaces, use the global parameter in place of interface outside.
Note
Related Commands
inspect gtp
To enable or disable GTP inspection or to define a GTP map for controlling GTP traffic or tunnels, use the inspect gtp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. Use the no form of this command to remove the command.
inspect gtp [map_name]
no inspect gtp [map_name]
Note
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
GTP is the tunnelling protocol for GPRS, and helps provide secure access over wireless networks. GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP, refer to the "Applying Application Layer Protocol Inspection" chapter in the Cisco Security Appliance Command Line Configuration Guide.
Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. The actions that you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
The string gtp, used as a port value, is automatically converted to the port value 3386. The well-known ports for GTP are as follows:
•
•
The following features are not supported in 7.0(1):
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect gtp command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect gtp command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect gtp command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list gtp-acl permit udp any any eq 3386hostname(config)# access-list gtp-acl permit udp any any eq 2123hostname(config)# class-map gtp-traffichostname(config)# match access-list gtp-aclhostname(config)# gtp-map gtp-policyhostname(config)# policy-map inspection_policyhostname(config-pmap)# class gtp-traffichostname(config-pmap-c)# inspect gtp gtp-policyhostname(config)# service-policy inspection_policy interface outside
Note
Related Commands
inspect h323
To enable H.323 application inspection or to change the ports to which the security appliance listens, use the inspect h323 command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect h323 {h225 | ras}
no inspect h323 {h225 | ras}
Syntax Description
Defaults
The default port assignments are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect h323 command provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including the H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance.
The two major functions of H.323 inspection are as follows:
•
•
How H.323 Works
The H.323 collection of protocols collectively may use up to two TCP connection and four to six UDP connections. FastStart uses only one TCP connection, and RAS uses a single UDP connection for registration, admissions, and status.
An H.323 client may initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. The H.245 connection is for call negotiation and media channel setup. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 terminals are not using FastStart, the security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages.
Note
Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange. Real-Time Transport Protocol (RTP) uses the negotiated port number, while RTP Control Protocol (RTCP) uses the next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports.
•
•
•
If the ACF message from the gatekeeper goes through the security appliance, a pinhole will be opened for the H.225 connection. The H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the security appliance opens an H.225 connection based on inspection of the ACF message. If | the security appliance does not see the ACF message, you might need to open an access list for the well-known H.323 port 1720 for the H.225 call signaling.
The security appliance dynamically allocates the H.245 channel after inspecting the H.225 messages and then hooks up to the H.245 channel to be fixed up as well. That means whatever H.245 messages pass through the security appliance pass through the H.245 application inspection, NATing embedded IP addresses and opening the negotiated media channels.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not necessarily need to be sent in the same TCP packet as the H.225/H.245 message, the security appliance must remember the TPKT length to process/decode the messages properly. The security appliance keeps a data structure for each connection and that data structure contains the TPKT length for the next expected message.
If the security appliance needs to NAT any IP addresses, then it will have to change the checksum, the UUIE (user-user information element) length, and the TPKT, if included in the TCP packet with the H.225 message. If the TPKT is sent in a separate TCP packet, then the security appliance will proxy ACK that TPKT and append a new TPKT to the H.245 message with the new length.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and will time out with the H.323 timeout as configured using the timeout command.
Limitations and Restrictions
The following are some of the known issues and limitations when using H.323 application inspection:
•
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect h323 command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect h323 command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect h323 command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the H.323 inspection engine as shown in the following example, which creates a class map to match H.323 traffic on the default port (1720). The service policy is then applied to the outside interface.
hostname(config)# class-map h323-porthostname(config-cmap)# match port tcp eq 1720hostname(config-cmap)# exithostname(config)# policy-map h323_policyhostname(config-pmap)# class h323-porthostname(config-pmap-c)# inspect h323hostname(config-pmap-c)# exithostname(config)# service-policy h323_policy interface outsideTo enable H.323 inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect http
To enable HTTP application inspection or to change the ports to which the security appliance listens, use the inspect http command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect http [map_name]
no inspect http [map_name]
Syntax Description
Defaults
The default port for HTTP is 80.
Enhanced HTTP inspection is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect http command protects against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs several functions:
•
•
•
The latter two features are configured in conjunction with the filter command.
Enhanced HTTP inspection verifies that HTTP messages conform to RFC 2616, use RFC-defined methods or supported extension methods, and comply with various other criteria. In many cases, you can configure these criteria and the system response when the criteria are not met. The actions that you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
The criteria that you can apply to HTTP messages include the following:
•
•
•
•
•
•
•
•
•
•
•
•
Note
To enable enhanced HTTP inspection, enter the inspect http http-map command. The rules that this applies to HTTP traffic are defined by the specific HTTP map, which you configure by entering the http-map command and HTTP map configuration mode commands.
Note
Examples
The following example shows how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# class-map http-porthostname(config-cmap)# match port tcp eq 80hostname(config-cmap)# exithostname(config)# http-map inbound_httphostname(config-http-map)# content-length min 100 max 2000 action reset loghostname(config-http-map)# content-type-verification match-req-rsp reset loghostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class http-porthostname(config-pmap-c)# inspect http inbound_httphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideThis example causes the security appliance to reset the connection and create a syslog entry when it detects any traffic that contain the following:
•
•
•
•
Related Commands
inspect icmp
To configure the ICMP inspection engine, use the inspect icmp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode.
inspect icmp
no inspect icmp
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct
When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.
Examples
You enable the ICMP application inspection engine as shown in the following example, which creates a class map to match ICMP traffic using the ICMP protocol ID, which is 1 for IPv4 and 58 for IPv6. The service policy is then applied to the outside interface.
hostname(config)# class-map icmp-classhostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# exithostname(config)# policy-map icmp_policyhostname(config-pmap)# class icmp-classhostname(config-pmap-c)# inspect icmphostname(config-pmap-c)# exithostname(config)# service-policy icmp_policy interface outsideTo enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect icmp error
To enable application inspection for ICMP error messages, use the inspect icmp error command in class configuration mode. Class configuration mode is accessible from policy map configuration mode.
inspect icmp error
no inspect icmp error
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
Use the inspect icmp error command to create xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops. However, using the inspect icmp error command makes the intermediate hop IP addresses visible. The security appliance overwrites the packet with the translated IP addresses.
When enabled, the ICMP error inspection engine makes the following changes to the ICMP packet:
•
•
•
–
–
–
When an ICMP error message is retrieved, whether ICMP error inspection is enabled or not, the ICMP payload is scanned to retrieve the five-tuple (src ip , dest ip, src port, dest port, and ip protocol) from the original packet. A lookup is performed, using the retrieved five-tuple, to determine the original address of the client and to locate an existing session associated with the specific five-tuple. If the session is not found, the ICMP error message is dropped.
Examples
You enable the ICMP error application inspection engine as shown in the following example, which creates a class map to match ICMP traffic using the ICMP protocol ID, which is 1 for IPv4 and 58 for IPv6. The service policy is then applied to the outside interface.
hostname(config)# class-map icmp-classhostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# exithostname(config)# policy-map icmp_policyhostname(config-pmap)# class icmp-classhostname(config-pmap-c)# inspect icmp errorhostname(config-pmap-c)# exithostname(config)# service-policy icmp_policy interface outsideTo enable ICMP error inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ils
To enable ILS application inspection or to change the ports to which the security appliance listens, use the inspect ils command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ils
no inspect ils
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect ils command provides NAT support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LDAP to exchange directory information with an ILS server.
Use the port option to change the default port assignment from 389. Use the -port option to apply ILS inspection to a range of port numbers.
The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database.
For search responses, when the LDAP server is located outside, NAT should be considered to allow internal peers to communicate locally while registered to external LDAP servers. For such search responses, xlates are searched first, and then DNAT entries to obtain the correct address. If both of these searches fail, then the address is not changed. For sites using NAT 0 (no NAT) and not expecting DNAT interaction, we recommend that the inspection engine be turned off to provide better performance.
Additional configuration may be necessary when the ILS server is located inside the security appliance border. This would require a hole for outside clients to access the LDAP server on the specified port, typically TCP 389.
Because ILS traffic only occurs on the secondary UDP channel, the TCP connection is disconnected after the TCP inactivity interval. By default, this interval is 60 minutes and can be adjusted using the timeout command.
ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the client's actions, several of these sessions may be created.
During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X provides ILS support.
The ILS inspection performs the following operations:
•
•
•
•
•
•
•
ILS inspection has the following limitations:
•
•
•
Note
Examples
You enable the ILS inspection engine as shown in the following example, which creates a class map to match ILS traffic on the default port (389). The service policy is then applied to the outside interface.
hostname(config)# class-map ils-porthostname(config-cmap)# match port tcp eq 389hostname(config-cmap)# exithostname(config)# policy-map ils_policyhostname(config-pmap)# class ils-porthostname(config-pmap-c)# inspect ilshostname(config-pmap-c)# exithostname(config)# service-policy ils_policy interface outsideTo enable ILS inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ipsec-pass-thru
To enable ESP inspection, use the inspect ipsec-pass-thru command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ipsec-pass-thru
no inspect ipsec-pass-thru
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
This inspection is configured to open pinholes for ESP traffic. All ESP data flows are permitted when a forward flow exists, and there is no limit on the maximum number of connections that can be allowed. AH is not permitted. The default idle timeout for ESP data flows is by default set to 10 minutes. This inspection can be applied in all locations that other inspections can be applied, including class and match command modes.
Examples
You enable the ESP inspection engine as shown in the following example, which creates a class map to match ESP traffic on the default port (500).
hostname(config)# access-list test-udp-acl extended permit udp any any eq 500hostname(config)# class-map test-udp-classhostname(config-cmap)# match access-list test-udp-aclhostname(config)# policy-map test-udp-policyhostname(config-pmap)# class test-udp-classhostname(config-pmap-c)# inspect ipsec-pass-thruTo enable ESP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect mgcp
To enable MGCP application inspection or to change the ports to which the security appliance listens, use the inspect mgcp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect mgcp [map_name]
no inspect mgcp [map_name]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
To use MGCP, you usually need to configure at least two inspect commands: one for the port on which the gateway receives commands, and one for the port on which the Call Agent receives commands. Normally, a Call Agent sends commands to the default MGCP port for gateways, 2427, and a gateway sends commands to the default MGCP port for Call Agents, 2727.
MGCP is used for controlling media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external (global) addresses.
Examples of media gateways are:
•
•
•
MGCP messages are transmitted over UDP. A response is sent back to the source address (IP address and UDP port number) of the command, but the response may not arrive from the same address as the command was sent to. This can happen when multiple call agents are being used in a failover configuration and the call agent that received the command has passed control to a backup call agent, which then sends the response.
Note
Use the call-agent and gateway commands in MGCP map configuration mode to configure the IP addresses of one or more call agents and gateways. Use the command-queue command in MGCP map configuration mode to specify the maximum number of MGCP commands that will be allowed in the command queue at one time.
Inspecting Signaling Messages
For inspecting signaling messages, the inspect mgcp command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect mgcp command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect mgcp command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
The following example shows how to identify MGCP traffic, define a MGCP map, define a policy, and apply the policy to the outside interface. This creates a class map to match MGCP traffic on the default ports (2427 and 2727). The service policy is then applied to the outside interface.
hostname(config)# access-list mgcp_acl permit tcp any any eq 2427hostname(config)# access-list mgcp_acl permit tcp any any eq 2727hostname(config)# class-map mgcp_porthostname(config-cmap)# match access-list mgcp_aclhostname(config-cmap)# exithostname(config)# mgcp-map inbound_mgcphostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102hostname(config-mgcp-map)# command-queue 150hostname(config-mgcp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class mgcp_porthostname(config-pmap-c)# inspect mgcp mgcp-map inbound_mgcphostname(config-pmap-c)# exithostname(config)# service-policy inbound_policy interface outsideThis configuration allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117. The maximum number of MGCP commands that can be queued is 150.
To enable MGCP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect netbios
To enable NetBIOS application inspection or to change the ports to which the security appliance listens, use the inspect netbios command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect netbios
no inspect netbios
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect netbios command enables or disables application inspection for the NetBIOS protocol.
Examples
You enable the NetBIOS inspection engine as shown in the following example, which creates a class map to match NetBIOS traffic on the default UDP ports (137 and 138). The service policy is then applied to the outside interface.
hostname(config)# class-map netbios-porthostname(config-cmap)# match port udp range 137 138hostname(config-cmap)# exithostname(config)# policy-map netbios_policyhostname(config-pmap)# class netbios-porthostname(config-pmap-c)# inspect netbioshostname(config-pmap-c)# exithostname(config)# service-policy netbios_policy interface outsideTo enable NetBIOS inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect pptp
To enable PPTP application inspection or to change the ports to which the security appliance listens, use the inspect pptp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect pptp
no inspect pptp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The Point-to-Point Tunneling Protocol (PPTP) is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and managing the PPTP GRE tunnels. The GRE tunnels carries PPP sessions between the two hosts.
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 1701, RFC 1702].
Specifically, the security appliance inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing-call request and reply sequence are tracked. Connections and xlates are dynamic allocated as necessary to permit subsequent secondary GRE data traffic.
The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and RFC 1702).
As described in RFC 2637, the PPTP protocol is mainly used for the tunneling of PPP sessions initiated from a modem bank PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server). When used this way, the PAC is the remote client and the PNS is the server.
However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user PC that initiates connection to the head-end PAC to gain access to a central network. |
Examples
You enable the PPTP inspection engine as shown in the following example, which creates a class map to match PPTP traffic on the default port (1723). The service policy is then applied to the outside interface.
hostname(config)# class-map pptp-porthostname(config-cmap)# match port tcp eq 1723hostname(config-cmap)# exithostname(config)# policy-map pptp_policyhostname(config-pmap)# class pptp-porthostname(config-pmap-c)# inspect pptphostname(config-pmap-c)# exithostname(config)# service-policy pptp_policy interface outsideTo enable PPTP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect rsh
To enable RSH application inspection or to change the ports to which the security appliance listens, use the inspect rsh command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect rsh
no inspect rsh
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The RSH protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if necessary.
Examples
You enable the RSH inspection engine as shown in the following example, which creates a class map to match RSH traffic on the default port (514). The service policy is then applied to the outside interface.
hostname(config)# class-map rsh-porthostname(config-cmap)# match port tcp eq 514hostname(config-cmap)# exithostname(config)# policy-map rsh_policyhostname(config-pmap)# class rsh-porthostname(config-pmap-c)# inspect rshhostname(config-pmap-c)# exithostname(config)# service-policy rsh_policy interface outsideTo enable RSH inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect rtsp
To enable RTSP application inspection or to change the ports to which the security appliance listens, use the inspect rtsp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect rtsp
no inspect rtsp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect rtsp command lets the security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.
Note
RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The security appliance only supports TCP, in conformity with RFC 2326. This TCP control channel is used to negotiate the data channels that will be used to transmit audio/video traffic, depending on the transport mode that is configured on the client.
The supported RDT transports are: rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp.
The security appliance parses Setup response messages with a status code of 200. If the response message is travelling inbound, the server is outside relative to the security appliance and dynamic channels need to be opened for connections coming inbound from the server. If the response message is outbound, then the security appliance does not need to open dynamic channels.
Because RFC 2326 does not require that the client and server ports must be in the SETUP response message, the security appliance will need to keep state and remember the client ports in the SETUP message. QuickTime places the client ports in the SETUP message and then the server responds with only the server ports.
Using RealPlayer
When using RealPlayer, it is important to properly configure transport mode. For the security appliance, add an access-list command statement from the server to the client or vice versa. For RealPlayer, change transport mode by clicking Options>Preferences>Transport>RTSP Settings.
If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the security appliance, there is no need to configure the inspection engine.
If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes, and for live content not available via Multicast. On the security appliance, add a inspect rtsp port command statement.
Restrictions and Limitations
The following restrictions apply to the inspect rtsp command:
•
•
•
•
•
•
•
Examples
You enable the RTSP inspection engine as shown in the following example, which creates a class map to match RTSP traffic on the default ports (554 and 8554). The service policy is then applied to the outside interface.
hostname(config)# access-list rtsp-acl permit tcp any any eq 554hostname(config)# access-list rtsp-acl permit tcp any any eq 8554hostname(config)# class-map rtsp-traffichostname(config-cmap)# match access-list rtsp-aclhostname(config-cmap)# exithostname(config)# policy-map rtsp_policyhostname(config-pmap)# class rtsp-traffichostname(config-pmap-c)# inspect rtsphostname(config-pmap-c)# exithostname(config)# service-policy rtsp_policy interface outsideTo enable RTSP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect sip
To enable SIP application inspection or to change the ports to which the security appliance listens, use the inspect sip command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect sip
no inspect sip
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
The default port assignment for SIP is 5060.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
SIP, as defined by the IETF, enables VoIP calls. SIP works with SDP for call signalling. SDP specifies the details of the media stream. Using SIP, the security appliance can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs:
•
•
To support SIP calls through the security appliance, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.
Note
Instant Messaging
Instant Messaging refers to the transfer of messages between users in near real-time. The MESSAGE/INFO methods and 202 Accept response are used to support IM as defined in the following RFCs:
•
•
MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes, which will time out according to the configured SIP timeout value. This value must be configured at least five minutes longer than the subscription duration. The subscription duration is defined in the Contact Expires value and is typically 30 minutes.
Because MESSAGE/INFO requests are typically sent using a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine.
Note
Technical Details
SIP inspection NATs the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen.
SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload that identifies the call, as well as the source and destination. Contained within this database are the media addresses and media ports that were contained in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. RTP/RTCP connections are opened between the two endpoints using these media addresses/ports.
The well-known port 5060 must be used on the initial call setup (INVITE) message. However, subsequent messages may not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be NATed.
As a call is set up, the SIP session is considered in the "transient" state. This state remains until a Response message is received indicating the RTP media address and port on which the destination endpoint is listening. If there is a failure to receive the response messages within one minute, the signaling connection will be torn down.
Once the final handshake is made, the call state is moved to active and the signaling connection will remain until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface will not traverse the security appliance, unless the security appliance configuration specifically allows it.
The media connections are torn down within two minutes after the connection becomes idle. This is, however, a configurable timeout and can be set for a shorter or longer period of time.
Inspecting Signaling Messages
For inspecting signaling messages, the inspect sip command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect sip command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect sip command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the SIP inspection engine as shown in the following example, which creates a class map to match SIP traffic on the default port (5060). The service policy is then applied to the outside interface.
hostname(config)# class-map sip-porthostname(config-cmap)# match port tcp eq 5060hostname(config-cmap)# exithostname(config)# policy-map sip_policyhostname(config-pmap)# class sip-porthostname(config-pmap-c)# inspect siphostname(config-pmap-c)# exithostname(config)# service-policy sip_policy interface outsideTo enable SIP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect skinny
T o enable SCCP (Skinny) application inspection or to change the ports to which the security appliance listens, use the inspect skinny command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect skinny
no inspect skinny
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
Skinny (or Simple) Client Control Protocol (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323-compliant terminals. Application layer functions in the security appliance recognize SCCP Version 3.3. The functionality of the application layer software ensures that all SCCP signaling and media packets can traverse the security appliance by providing NAT of the SCCP Signaling packets.
There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2. The security appliance supports all versions through Version 3.3.2. The security appliance provides both PAT and NAT support for SCCP. PAT is necessary if you have limited numbers of global IP addresses for use by IP phones.
Normal traffic between the Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration.The security appliance also supports DHCP options 150 and 66, which allow the security appliance to send the location of a TFTP server to Cisco IP Phones and other DHCP clients. For more information, see the dhcp-server command.
Supporting Cisco IP Phones
In topologies where Cisco CallManager is located on the higher security interface with respect to the Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its configuration. An identity static entry allows the Cisco CallManager on the higher security interface to accept registrations from the Cisco IP Phones.
Cisco IP Phones require access to a TFTP server to download the configuration information they need to connect to the Cisco CallManager server.
When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an access list to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an "identity" static entry. When using NAT, an identity static entry maps to the same IP address. When using PAT, it maps to the same IP address and port.
When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager, no access list or static entry is required to allow the Cisco IP Phones to initiate the connection.
Restrictions and Limitations
The following are limitations that apply to the current version of PAT and NAT support for SCCP:
•
•
Note
If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address or port, registrations for external Cisco IP Phones will fail because the security appliance currently does not support NAT or PAT for the file content transferred via TFTP. Although the security appliance does support NAT of TFTP messages, and opens a pinhole for the TFTP file to traverse the security appliance, the security appliance cannot translate the Cisco CallManager IP address and port embedded in the Cisco IP Phone's configuration files that are being transferred using TFTP during phone registration.
Inspecting Signaling Messages
For inspecting signaling messages, the inspect skinny command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect skinny command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect skinny command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the SCCP inspection engine as shown in the following example, which creates a class map to match SCCP traffic on the default port (2000). The service policy is then applied to the outside interface.
hostname(config)# class-map skinny-porthostname(config-cmap)# match port tcp eq 2000hostname(config-cmap)# exithostname(config)# policy-map skinny_policyhostname(config-pmap)# class skinny-porthostname(config-pmap-c)# inspect skinnyhostname(config-pmap-c)# exithostname(config)# service-policy skinny_policy interface outsideTo enable SCCP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect snmp
To enable SNMP application inspection or to change the ports to which the security appliance listens, use the inspect snmp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect snmp map_name
no inspect snmp map_name
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the inspect snmp command to enable SNMP inspection, using the settings configured with an SNMP map, which you create using the snmp-map command. Use the deny version command in SNMP map configuration mode to restrict SNMP traffic to a specific version of SNMP.
Earlier versions of SNMP are less secure so restricting SNMP traffic to Version 2 may be required by your security policy. To deny a specific version of SNMP, use the deny version command within an SNMP map, which you create using the snmp-map command. After configuring the SNMP map, you enable the map using the inspect snmp command and then apply it to one or more interfaces using the service-policy command.
Examples
The following example identifies SNMP traffic, defines an SNMP map, defines a policy, enables SNMP inspection, and applies the policy to the outside interface:
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)# exitTo enable strict snmp application inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect sqlnet
To enable Oracle SQL*Net application inspection, use the inspect sqlnet command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect sqlnet
no inspect sqlnet
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
The default port assignment is 1521.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the previously existing fixup command, which is now deprecated.
Usage Guidelines
The SQL*Net protocol consists of different packet types that the security appliance handles to make the data stream appear consistent to the Oracle applications on either side of the security appliance.
The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the class-map command to apply SQL*Net inspection to a range of port numbers.
Note
The security appliance NATs all addresses and looks in the packets for all embedded ports to open for SQL*Net Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets with a zero data length will be fixed up.
The packets that need fix-up contain embedded host/port addresses in the following format:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload. When the Redirect message with data length zero passes through the security appliance, a flag will be set in the connection data structure to expect the Data or Redirect message that follows to be NATed and ports to be dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect message, the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend, Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be NATed and port connections will be opened.
Examples
You enable the SQL*Net inspection engine as shown in the following example, which creates a class map to match SQL*Net traffic on the default port (1521). The service policy is then applied to the outside interface.
hostname(config)# class-map sqlnet-porthostname(config-cmap)# match port tcp eq 1521hostname(config-cmap)# exithostname(config)# policy-map sqlnet_policyhostname(config-pmap)# class sqlnet-porthostname(config-pmap-c)# inspect sqlnethostname(config-pmap-c)# exithostname(config)# service-policy sqlnet_policy interface outsideTo enable SQL*Net inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect sunrpc
To enable Sun RPC application inspection or to change the ports to which the security appliance listens, use the inspect sunrpc command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect sunrpc
no inspect sunrpc
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
To enable Sun RPC application inspection or to change the ports to which the security appliance listens, use the inspect sunrpc command in policy map class configuration mode, which is accessible by using the class command within policy map configuration mode. To remove the configuration, use the no form of this command.
The inspect sunrpc command enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by NFS and NIS. Sun RPC services can run on any port on the system. When a client attempts to access an Sun RPC service on a server, it must find out which port that service is running on. It does this by querying the portmapper process on the well-known port of 111.
The client sends the Sun RPC program number of the service, and gets back the port number. From this point on, the client program sends its Sun RPC queries to that new port. When a server sends out a reply, the security appliance intercepts this packet and opens both embryonic TCP and UDP connections on that port.
Note
Examples
You enable the RPC inspection engine as shown in the following example, which creates a class map to match RPC traffic on the default port (111). The service policy is then applied to the outside interface.
hostname(config)# class-map sunrpc-porthostname(config-cmap)# match port tcp eq 111hostname(config-cmap)# exithostname(config)# policy-map sample_policyhostname(config-pmap)# class sunrpc-porthostname(config-pmap-c)# inspect sunrpchostname(config-pmap-c)# exithostname(config)# service-policy sample_policy interface outsideTo enable RPC inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect tftp
To disable TFTP application inspection, or to enable it if it has been previously disabled, use the inspect tftp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect tftp
no inspect tftp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
The default port assignment is 69.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the previously existing fixup command, which is now deprecated.
Usage Guidelines
Trivial File Transfer Protocol (TFTP), described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client.
The security appliance inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server. Specifically, the inspection engine inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).
A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file transfer or error notification.
Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete secondary channel can exist between the TFTP client and server. An error notification from the server closes the secondary channel.
TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic.
Examples
You enable the TFTP inspection engine as shown in the following example, which creates a class map to match TFTP traffic on the default port (69). The service policy is then applied to the outside interface.
hostname(config)# class-map tftp-porthostname(config-cmap)# match port udp eq 69hostname(config-cmap)# exithostname(config)# policy-map tftp_policyhostname(config-pmap)# class tftp-porthostname(config-pmap-c)# inspect tftphostname(config-pmap-c)# exithostname(config)# service-policy tftp_policy interface outsideTo enable TFTP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect xdmcp
To enable XDMCP application inspection or to change the ports to which the security appliance listens, use the inspect xdmcp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect xdmcp
no inspect xdmcp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the previously existing fixup command, which is now deprecated.
Usage Guidelines
The inspect xdmcp command enables or disables application inspection for the XDMCP protocol.
XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established.
For successful negotiation and start of an XWindows session, the security appliance must allow the TCP back connection from the Xhosted computer. To permit the back connection, use the established command on the security appliance. Once XDMCP negotiates the port to send the display, The established command is consulted to verify if this back connection should be permitted.
During the XWindows session, the manager talks to the display Xserver on the well-known port 6000 | n. Each display has a separate connection to the Xserver, as a result of the following terminal setting.
setenv DISPLAY Xserver:nwhere n is the display number.
When XDMCP is used, the display is negotiated using IP addresses, which the security appliance can NAT if needed. XDCMP inspection does not support PAT.
Examples
You enable the XDMCP inspection engine as shown in the following example, which creates a class map to match XDMCP traffic on the default port (177). The service policy is then applied to the outside interface.
hostname(config)# class-map xdmcp-porthostname(config-cmap)# match port tcp eq 177hostname(config-cmap)# exithostname(config)# policy-map xdmcp_policyhostname(config-pmap)# class xdmcp-porthostname(config-pmap-c)# inspect xdmcphostname(config-pmap-c)# exithostname(config)# service-policy xdmcp_policy interface outsideTo enable XDMCP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
