10-6
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 10 Getting Started with Application Layer Protocol Inspection
Default Settings and NAT Limitations
SIP TCP/5060
UDP/5060
No outside NAT.
No NAT on same security
interfaces.
No extended PAT.
No per-session PAT.
No NAT64.
(Clustering) No static PAT.
RFC 2543 —
SKINNY
(SCCP)
TCP/2000 No outside NAT.
No NAT on same security
interfaces.
No extended PAT.
No per-session PAT.
No NAT64.
(Clustering) No static PAT.
— Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.
SMTP and
ESMTP
TCP/25 No NAT64. RFC 821, 1123 —
SNMP UDP/161,
162
No NAT or PAT. RFC 1155, 1157,
1212, 1213, 1215
v.2 RFC 1902-1908; v.3 RFC
2570-2580.
SQL*Net TCP/1521 No extended PAT.
No NAT64.
(Clustering) No static PAT.
— v.1 and v.2.
Sun RPC over
UDP and TCP
UDP/111 No extended PAT.
No NAT64.
— The default rule includes UDP port 111;
if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new rule that matches TCP
port 111 and performs Sun RPC
inspection.
TFTP UDP/69 No NAT64.
(Clustering) No static PAT.
RFC 1350 Payload IP addresses are not translated.
WAAS — No extended PAT.
No NAT64.
——
XDCMP UDP/177 No extended PAT.
No NAT64.
(Clustering) No static PAT.
——
1. Inspection engines that are enabled by default for the default port are in bold.
2. The ASA is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed
to be in a particular order, but the ASA does not enforce the order.
Table 10-1 Supported Application Inspection Engines (continued)
Application
1
Default Port NAT Limitations Standards
2
Comments