25-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 25 Configuring Application Layer Protocol Inspection
Inspection Engine Overview
The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
RADIUS
Accounting
1646 — RFC 2865 —
RSH TCP/514 No PAT Berkeley UNIX —
RTSP TCP/554 No PAT.
No outside NAT.
RFC 2326, 2327,
1889
No handling for HTTP cloaking.
SIP TCP/5060
UDP/5060
No outside NAT.
No NAT on same security
interfaces.
RFC 2543 —
SKINNY
(SCCP)
TCP/2000 No outside NAT.
No NAT on same security
interfaces.
— Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.
SMTP and
ESMTP
TCP/25 — RFC 821, 1123 —
SNMP UDP/161,
162
No NAT or PAT. RFC 1155, 1157,
1212, 1213, 1215
v.2 RFC 1902-1908; v.3 RFC
2570-2580.
SQL*Net TCP/1521 — — v.1 and v.2.
Sun RPC over
UDP and TCP
UDP/111 No NAT or PAT. — The default class map includes UDP
port 111; if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new class map that matches
TCP port 111, add the class to the
policy, and then apply the inspect
sunrpc command to that class.
TFTP UDP/69 — RFC 1350 Payload IP addresses are not translated.
XDCMP UDP/177 No NAT or PAT. — —
1. Inspection engines that are enabled by default for the default port are in bold.
2. The security appliance is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands
are supposed to be in a particular order, but the security appliance does not enforce the order.
Table 25-1 Supported Application Inspection Engines (continued)
Application
1
Default Port NAT Limitations Standards
2
Comments
To Next Page
Loading...
