10-3
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 10 Getting Started with Application Layer Protocol Inspection
Guidelines and Limitations
When you enable application inspection for a service that embeds IP addresses, the ASA translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
When you enable application inspection for a service that uses dynamically assigned ports, the ASA
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Failover Guidelines
State information for multimedia sessions that require inspection are not passed over the state link for
stateful failover. The exception is GTP, which is replicated over the state link.
IPv6 Guidelines
Supports IPv6 for the following inspections:
• DNS
• FTP
• HTTP
• ICMP
• SIP
• SMTP
• IPsec pass-through
• IPv6
Supports NAT64 for the following inspections:
• DNS
• FTP
• HTTP
• ICMP
Additional Guidelines and Limitations
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. See “Default Settings and NAT Limitations” for more information about NAT support.
For all the application inspections, the ASA limits the number of simultaneous, active data connections
to 200 connections. For example, if an FTP client opens multiple secondary connections, the FTP
inspection engine allows only 200 active connections and the 201 connection is dropped and the adaptive
security appliance generates a system error message.