12-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 12 Getting Started with Application Layer Protocol Inspection
Defaults for Application Inspection
RSH TCP/514 No PAT.
No NAT64.
(Clustering) No static PAT.
Berkeley UNIX —
RTSP TCP/554 No extended PAT.
No NAT64.
(Clustering) No static PAT.
RFC 2326, 2327,
1889
No handling for HTTP cloaking.
ScanSafe (Cloud
Web Security)
TCP/80
TCP/413
— — These ports are not included in the
default-inspection-traffic class for the
ScanSafe inspection.
SIP TCP/5060
UDP/5060
No NAT on same security
interfaces.
No extended PAT.
No per-session PAT.
No NAT64 or NAT46.
(Clustering) No static PAT.
RFC 2543 Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.
SKINNY
(SCCP)
TCP/2000 No NAT on same security
interfaces.
No extended PAT.
No per-session PAT.
No NAT64, NAT46, or NAT66.
(Clustering) No static PAT.
— Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.
SMTP and
ESMTP
TCP/25 No NAT64. RFC 821, 1123 —
SNMP UDP/161,
162
No NAT or PAT. RFC 1155, 1157,
1212, 1213, 1215
v.2 RFC 1902-1908; v.3 RFC
2570-2580.
SQL*Net TCP/1521 No extended PAT.
No NAT64.
(Clustering) No static PAT.
— v.1 and v.2.
Sun RPC over
UDP and TCP
UDP/111 No extended PAT.
No NAT64.
— The default rule includes UDP port 111;
if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new rule that matches TCP
port 111 and performs Sun RPC
inspection.
TFTP UDP/69 No NAT64.
(Clustering) No static PAT.
RFC 1350 Payload IP addresses are not translated.
WAA S TC P /1 -
65535
No extended PAT.
No NAT64.
——
Table 12-1 Supported Application Inspection Engines (continued)
Application Default Port NAT Limitations Standards Comments
To Next Page
Loading...
