14-47

User

Guide

for

the

Cisco

Application

Networking

Manager

5.2

OL-26572-01

Chapter

14

Configuring

Traffic

Policies

Configuring

Rules

and

Actions

for

Policy

Maps

ICMP

Internet

Control

Message

Protocol

(ICMP)

payload

inspection

is

to

be

performed.

ICMP

inspection

allows

ICMP

traffic

to

have

a

“session”

so

that

it

can

be

inspected

similarly

to

TCP

and

UDP

traffic.

In

the

ICMP

Er

ror

field,

specify

whether

or

no

t

t

he

ACE

i

s

to

perform

name

address

t

ranslation

on

ICMP

error

messages:

•

N/A—This

attribute

is

not

s

et.

•

Fal

se—The

ACE

is

not

to

perform

NAT

on

ICMP

error

messages.

•

Tr

u

e

—The

ACE

is

to

perform

NAT

on

ICMP

error

messages.

When

enabled,

the

ACE

creates

translation

sessions

for

intermediate

or

endpoint

nodes

that

send

ICMP

er

ror

messages

based

on

the

NAT

configuration.

The

ACE

overwrites

the

packet

with

the

translated

IP

addresses.

ILS

Internet

Locator

Service

(ILS)

protocol

inspection

is

to

be

implemented.

RT

S

P

Real

Time

Streaming

Protocol

(RTSP)

packet

inspection

is

to

be

implemented.

RTSP

is

used

by

RealAudio,

RealNetworks,

Apple

QuickTime

4,

RealPlayer,

and

Cisco

IP/

TV

connections.

The

ACE

monitors

Setup

and

Response

(200

OK)

messages

in

the

control

channel

established

using

TCP

port

554

(no

UDP

support).

In

the

Parameter

Map

field,

choose

a

previously

defined

parameter

map

used

to

define

parameters

for

RTSP

inspection.

SIP

SIP

protocol

inspection

is

to

be

implemented.

SIP

is

used

for

call

handling

sessions

and

instant

messaging.

The

ACE

inspects

signaling

messages

for

media

connection

addresses,

media

ports,

and

embryonic

connections.

The

ACE

also

uses

NAT

to

translate

IP

addresses

that

are

embedded

in

the

user-data

portion

of

the

packet.

Do

the

following:

a.

In

the

Parameter

Map

field,

specify

a

previously

created

parameter

map

used

to

define

parameters

for

SIP

inspection.

b.

In

the

SIP

Inspect

Policy

field,

choose

a

previously

created

Layer

7

SIP

inspection

policy

map

to

implement

packet

inspection

of

Layer

7

SIP

application

traffic.

If

you

do

not

specify

a

Layer

7

policy

map,

the

ACE

performs

a

general

set

of

Layer

3

and

Layer

4

HTTP

fixup

actions

and

internal

RFC

compliance

checks.

Skinny

Cisco

Skinny

Client

Control

Protocol

(SCCP)

protocol

inspection

is

to

be

implemented.

The

SCCP

is

a

Ci

sco

proprietary

protocol

that

is

used

between

Cisco

CallManager

and

Cisco

VOiP

phones.

The

ACE

uses

NAT

to

translate

embedded

IP

ad

dresses

and

port

numbers

in

SCCP

pa

cket

data.

Do

the

following:

a.

In

the

Parameter

Map

field,

specify

a

previously

created

connection

parameter

map

used

to

define

parameters

for

Skinny

i

nspection.

b.

In

the

Skinny

Inspect

Policy

field,

choose

a

previously

created

Layer

7

Skinny

inspection

policy

map

to

implement

packet

inspection

of

Layer

7

Skinny

application

traffic.

If

you

do

not

specify

a

Layer

7

policy

map,

the

ACE

performs

a

general

set

of

Layer

3

and

Layer

4

HTTP

fixup

actions

and

internal

RFC

compliance

checks.

Table

14-19

Layer

3/Layer

4

Network

Traffic

Policy

Map

Application

Inspection

Options

(continued)

Option

Description