Cisco Systems and the ASA Services Module Network Router User Manual


 
9-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Getting Started with Application Layer Protocol Inspection
Default Settings and NAT Limitations
Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these connections
is not automatically replicated. While these connections are replicated to the standby unit, there is a
best-effort attempt to re-establish a TCP state.
Default Settings and NAT Limitations
By default, the configuration includes a policy that matches all default application inspection traffic and
applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic
includes traffic to the default ports for each protocol. You can only apply one global policy, so if you
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table 9-1 lists all inspections supported, the default ports used in the default class map, and the
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table 9-1 Supported Application Inspection Engines
Application
1
Default Port NAT Limitations Standards
2
Comments
CTIQBE TCP/2748 No extended PAT.
No NAT64.
(Clustering) No static PAT.
——
DCERPC TCP/135 No NAT64. ——
DNS over UDP UDP/53 No NAT support is available for
name resolution through
WINS.
RFC 1123
FTP TCP/21 (Clustering) No static PAT. RFC 959
GTP UDP/3386
UDP/2123
No extended PAT.
No NAT64.
Requires a special license.
H.323 H.225 and
RAS
TCP/1720
UDP/1718
UDP (RAS)
1718-1719
No dynamic NAT or PAT.
Static PAT may not work.
(Clustering) No static PAT.
No extended PAT.
No per-session PAT.
No NAT on same security
interfaces.
No outside NAT.
No NAT64.
ITU-T H.323,
H.245, H225.0,
Q.931, Q.932
HTTP TCP/80 RFC 2616 Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
ICMP