12-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 12 Getting Started with Application Layer Protocol Inspection
Defaults for Application Inspection
H.323 H.225 and
RAS
TCP/1720
UDP/1718
UDP (RAS)
1718-1719
No dynamic NAT or PAT.
Static PAT may not work.
(Clustering) No static PAT.
No extended PAT.
No per-session PAT.
No NAT on same security
interfaces.
No NAT64.
ITU-T H.323,
H.245, H225.0,
Q.931, Q.932
—
HTTP TCP/80 — RFC 2616 Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
ICMP — — — ICMP traffic directed to an ASA
interface is never inspected.
ICMP ERROR — — — —
ILS (LDAP) TCP/389 No extended PAT.
No NAT64.
——
Instant
Messaging (IM)
Varies by
client
No extended PAT.
No NAT64.
RFC 3860 —
IP Options — No NAT64. RFC 791, RFC
2113
—
IPsec Pass
Through
UDP/500 No PAT.
No NAT64.
——
IPv6 — No NAT64. RFC 2460 —
MGCP UDP/2427,
2727
No extended PAT.
No NAT64.
(Clustering) No static PAT.
RFC 2705bis-05 —
MMP TCP 5443 No extended PAT.
No NAT64.
——
NetBIOS Name
Server over IP
UDP/137,
138 (Source
ports)
No extended PAT.
No NAT64.
— NetBIOS is supported by performing
NAT of the packets for NBNS UDP port
137 and NBDS UDP port 138.
PPTP TCP/1723 No NAT64.
(Clustering) No static PAT.
RFC 2637 —
RADIUS
Accounting
1646 No NAT64. RFC 2865 —
Table 12-1 Supported Application Inspection Engines (continued)
Application Default Port NAT Limitations Standards Comments
To Next Page
Loading...
