36-4
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 36 Getting Started With Application Layer Protocol Inspection
Default Settings
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table 36-1 lists all inspections supported, the default ports used in the default class map, and the
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table 36-1 Supported Application Inspection Engines
Application
1
Default Port NAT Limitations Standards
2
Comments
CTIQBE TCP/2748 — ——
DCERPC TCP/135 ———
DNS over UDP UDP/53 No NAT support is available for
name resolution through
WINS.
RFC 1123 No PTR records are changed.
FTP TCP/21 — RFC 959 —
GTP UDP/3386
UDP/2123
— — Requires a special license.
H.323 H.225 and
RAS
TCP/1720
UDP/1718
UDP (RAS)
1718-1719
No NAT on same security
interfaces.
No static PAT.
ITU-T H.323,
H.245, H225.0,
Q.931, Q.932
—
HTTP TCP/80 — RFC 2616 Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
ICMP — — — All ICMP traffic is matched in the
default class map.
ICMP ERROR — — — All ICMP traffic is matched in the
default class map.
ILS (LDAP) TCP/389 No PAT. — —
Instant
Messaging (IM)
Vari es by
client
— RFC 3860 —
IP Options — — RFC 791, RFC
2113
All IP Options traffic is matched in the
default class map.
MMP TCP 5443 — — —
MGCP UDP/2427,
2727
— RFC 2705bis-05 —
NetBIOS Name
Server over IP
UDP/137,
138 (Source
ports)
— — NetBIOS is supported by performing
NAT of the packets for NBNS UDP port
137 and NBDS UDP port 138.
PPTP TCP/1723 — RFC 2637 —
RADIUS
Accounting
1646 — RFC 2865 —
RSH TCP/514 No PAT Berkeley UNIX —
To Next Page
Loading...
