Cisco 7604 Configuration Guide - Page 420

Inspection Engine Overview Chapter 22 Applying Application Layer Protocol Inspection • If you configure PAT for traffic that is being inspected, the FWSM performs application inspection on the translated port numbers rather than the real port numbers. Service policies applying inspection to traffic with translated port numbers should use class maps that identify traffic using the translated port numbers. For example, if you implement PAT to translate ports 2727 and 2427 to port 1400, you should configure MGCP inspection to match traffic sent to port 1400 rather than the well known ports 2427 and 2727. • When application inspection is enabled on the FWSM for TCP flows (especially for application inspection of protocols like VoIP), the TCP sender segments the TCP packets based on the maximum segment size (MSS) advertised by the TCP receiver. The FWSM reassembles the TCP segments, performs the inspection, and transmits the packets to the TCP receiver based on its interface maximum transmission unit (MTU) and not the MSS advertised by the TCP receiver. For example, two SIP endpoints (Polycomm video conferencing units) advertise an MSS of 536 bytes. The FWSM proxies this connection and one video unit sends a H.245 setup message that is 761 bytes segmented into three packets. The FWSM reassembles these three segments and transmits them to the endpoint as one single 761 data byte packet instead of honoring the 536 byte MSS and resegmenting the message as appropriate. To account for this limitation, you must perform the following actions on the FWSM: - Increase the MSS on the TCP receiver. - Lower the MTU on the FWSM interface. - Only if possible, disable the advanced protocol inspection. • When application inspection is enabled for a protocol and another application utilizes the same port as that inspected application protocol, the FWSM can exhibit unpredictable behavior (including packet loss) when inspecting that application protocol. When this situation occurs, you should disable the inspection engine for that application protocol. Default Inspection Policy By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the default policy or disable it and apply a new one. Table 22-1 lists all inspections supported, the default ports used in the default class map, and the inspection engines that are on by default, shown in bold. This table also notes any NAT limitations. Table 22-1 Application1 CTIQBE DCERPC Supported Application Inspection Engines Default Port NAT Limitations TCP/2748 - TCP/135 - Standards2 - - DNS over UDP UDP/53 Only forward NAT. RFC 1123 No NAT support is available for name resolution through WINS. Comments - Supports the map and lookup operations of the EPM for clients. No PTR records are changed. Default maximum packet length is 512 bytes. 22-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01