Ils inspection, C h a p t e r – Cisco ASA 5505 User Manual

Page 941

Advertising
background image

C H A P T E R

45-1

Cisco ASA 5500 Series Configuration Guide using the CLI

45

Configuring Inspection of Database and
Directory Protocols

This chapter describes how to configure application layer protocol inspection. Inspection engines are
required for services that embed IP addressing information in the user data packet or that open secondary
channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection
instead of passing the packet through the fast path. As a result, inspection engines can affect overall
throughput.

Several common inspection engines are enabled on the ASA by default, but you might need to enable
others depending on your network.

This chapter includes the following sections:

ILS Inspection, page 45-1

SQL*Net Inspection, page 45-2

Sun RPC Inspection, page 45-3

ILS Inspection

The ILS inspection engine provides NAT support for Microsoft NetMeeting, SiteServer, and Active
Directory products that use LDAP to exchange directory information with an ILS server.

The ASA supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer
Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database.

For search responses, when the LDAP server is located outside, NAT should be considered to allow
internal peers to communicate locally while registered to external LDAP servers. For such search
responses, xlates are searched first, and then DNAT entries to obtain the correct address. If both of these
searches fail, then the address is not changed. For sites using NAT 0 (no NAT) and not expecting DNAT
interaction, we recommend that the inspection engine be turned off to provide better performance.

Additional configuration may be necessary when the ILS server is located inside the ASA border. This
would require a hole for outside clients to access the LDAP server on the specified port, typically TCP
389.

Because ILS traffic only occurs on the secondary UDP channel, the TCP connection is disconnected after
the TCP inactivity interval. By default, this interval is 60 minutes and can be adjusted using the timeout
command.

ILS/LDAP follows a client/server model with sessions handled over a single TCP connection.
Depending on the client's actions, several of these sessions may be created.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals