Cisco Systems OL-16647-01 Network Router User Manual


  Open as PDF
of 1230
 
24-28
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
TFTP Inspection
TFTP Inspection
TFTP inspection is enabled by default.
TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and
client.
The security appliance inspects TFTP traffic and dynamically creates connections and translations, if
necessary, to permit file transfer between a TFTP client and server. Specifically, the inspection engine
inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).
A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid
read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file
transfer or error notification.
Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete
secondary channel can exist between the TFTP client and server. An error notification from the server
closes the secondary channel.
TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic.
XDMCP Inspection
XDMCP inspection is enabled by default; however, the XDMCP inspection engine is dependent upon
proper configuration of the established command.
XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established.
For successful negotiation and start of an XWindows session, the security appliance must allow the TCP
back connection from the Xhosted computer. To permit the back connection, use the established
command on the security appliance. Once XDMCP negotiates the port to send the display, The
established command is consulted to verify if this back connection should be permitted.
During the XWindows session, the manager talks to the display Xserver on the well-known port 6000 |
n. Each display has a separate connection to the Xserver, as a result of the following terminal setting.
setenv DISPLAY Xserver:n
where n is the display number.
When XDMCP is used, the display is negotiated using IP addresses, which the security appliance can
NAT if needed. XDCMP inspection does not support PAT.
Service Policy Field Descriptions
This section lists the field decsriptions for each protocol inspection dialog box, and includes the
following topics:
Rule Actions > Protocol Inspection Tab, page 24-29
Select DCERPC Map, page 24-31
Select DNS Map, page 24-31
Select ESMTP Map, page 24-32
Select FTP Map, page 24-32
Select GTP Map, page 24-33
 previous next