Icmp error inspection, Instant messaging inspection, Im inspection overview – Cisco ASA 5505 User Manual
Page 897: Configuring an instant messaging inspection
43-21
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 43 Configuring Inspection of Basic Internet Protocols
ICMP Error Inspection
ICMP Error Inspection
When this feature is enabled, the ASA creates translation sessions for intermediate hops that send ICMP
error messages, based on the NAT configuration. The ASA overwrites the packet with the translated IP
addresses.
When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP
error messages. ICMP error messages generated by the intermediate nodes between the inside host and
the ASA reach the outside host without consuming any additional NAT resource. This is undesirable
when an outside host uses the traceroute command to trace the hops to the destination on the inside of
the ASA. When the ASA does not translate the intermediate hops, all the intermediate hops appear with
the mapped destination IP address.
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client. The ICMP error
inspection engine makes the following changes to the ICMP packet:
•
In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum
is modified.
•
In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
•
In the Payload, the following changes are made:
–
Original packet mapped IP is changed to the real IP
–
Original packet mapped port is changed to the real Port
–
Original packet IP checksum is recalculated
Instant Messaging Inspection
This section describes the IM inspection engine. This section includes the following topics:
•
IM Inspection Overview, page 43-21
•
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control,
page 43-21
IM Inspection Overview
The IM inspect engine lets you apply fine grained controls on the IM application to control the network
usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate
network.
Configuring an Instant Messaging Inspection Policy Map for Additional
Inspection Control
To specify actions when a message violates a parameter, create an IM inspection policy map. You can
then apply the inspection policy map when you enable IM inspection.