1-3
Cisco ASA Series CLI Configuration Guide
Chapter 1 Getting Started with Application Layer Protocol Inspection
Guidelines and Limitations
When you enable application inspection for a service that embeds IP addresses, the ASA translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
When you enable application inspection for a service that uses dynamically assigned ports, the ASA
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Failover Guidelines
State information for multimedia sessions that require inspection are not passed over the state link for
stateful failover. The exception is GTP, which is replicated over the state link.
IPv6 Guidelines
Supports IPv6 for the following inspections:
• DNS
• FTP
• HTTP
• ICMP
• SIP
• SMTP
• IPsec pass-through
• IPv6
Supports NAT64 for the following inspections:
• DNS
• FTP
• HTTP
• ICMP
Additional Guidelines and Limitations
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. See “Default Settings” for more information about NAT support.
For all the application inspections, the adaptive security appliance limits the number of simultaneous,
active data connections to 200 connections. For example, if an FTP client opens multiple secondary
connections, the FTP inspection engine allows only 200 active connections and the 201 connection is
dropped and the adaptive security appliance generates a system error message.
To Next Page
Loading...
Need help?
General
