37-39
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 37 Configuring Inspection of Basic Internet Protocols
ICMP Error Inspection
ICMP Error Inspection
When this feature is enabled, the adaptive security appliance creates translation sessions for intermediate
hops that send ICMP error messages, based on the NAT configuration. The adaptive security appliance
overwrites the packet with the translated IP addresses.
When disabled, the adaptive security appliance does not create translation sessions for intermediate
nodes that generate ICMP error messages. ICMP error messages generated by the intermediate nodes
between the inside host and the adaptive security appliance reach the outside host without consuming
any additional NAT resource. This is undesirable when an outside host uses the traceroute command to
trace the hops to the destination on the inside of the adaptive security appliance. When the adaptive
security appliance does not translate the intermediate hops, all the intermediate hops appear with the
mapped destination IP address.
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client. The ICMP error
inspection engine makes the following changes to the ICMP packet:
• In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum
is modified.
• In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
• In the Payload, the following changes are made:
–
Original packet mapped IP is changed to the real IP
–
Original packet mapped port is changed to the real Port
–
Original packet IP checksum is recalculated
Instant Messaging Inspection
This section describes the IM inspection engine. This section includes the following topics:
• IM Inspection Overview, page 37-39
• Select IM Map, page 37-39
IM Inspection Overview
The IM inspect engine lets you apply fine grained controls on the IM application to control the network
usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate
network.
Select IM Map
The Select IM Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map
The Select IM Map dialog box lets you select or create a new IM map. An IM map lets you change the
configuration values used for IM application inspection. The Select IM Map table provides a list of
previously configured maps that you can select for application inspection.
To Next Page
Loading...
Need help?
General
