Filter
Top Products
24-14
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
Instant Messaging Inspection
Instant Messaging Inspection
The IM inspect engine lets you apply fine grained controls on the IM application to control the network
usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate
network.
ICMP Inspection
The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and
UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through
the security appliance in an access list. Without stateful inspection, ICMP can be used to attack your
network. The ICMP inspection engine ensures that there is only one response for each request, and that
the sequence number is correct.
ICMP Error Inspection
When this feature is enabled, the security appliance creates translation sessions for intermediate hops
that send ICMP error messages, based on the NAT configuration. The security appliance overwrites the
packet with the translated IP addresses.
When disabled, the security appliance does not create translation sessions for intermediate nodes that
generate ICMP error messages. ICMP error messages generated by the intermediate nodes between the
inside host and the security appliance reach the outside host without consuming any additional NAT
resource. This is undesirable when an outside host uses the traceroute command to trace the hops to the
destination on the inside of the security appliance. When the security appliance does not translate the
intermediate hops, all the intermediate hops appear with the mapped destination IP address.
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client. The ICMP error
inspection engine makes the following changes to the ICMP packet:
• In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum
is modified.
• In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
• In the Payload, the following changes are made:
–
Original packet mapped IP is changed to the real IP
–
Original packet mapped port is changed to the real Port
–
Original packet IP checksum is recalculated
ILS Inspection
The ILS inspection engine provides NAT support for Microsoft NetMeeting, SiteServer, and Active
Directory products that use LDAP to exchange directory information with an ILS server.
The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS
or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP
database.