Guidelines For Application Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 12
Getting Started with Application Layer Protocol Inspection
match filename regex abc
class-map type inspect ftp match-all ftp3
match request-cmd get
match filename regex abc
policy-map type inspect ftp ftp
class ftp3
class ftp2
class ftp1
Guidelines for Application Inspection
Failover
State information for multimedia sessions that require inspection are not passed over the state link for
stateful failover. The exceptions are GTP and SIP, which are replicated over the state link.
IPv6
Supports IPv6 for the following inspections:
•
•
•
•
•
•
•
•
•
•
Supports NAT64 for the following inspections:
•
•
•
•
Additional Guidelines
•
•
log
log
log
DNS
FTP
HTTP
ICMP
SCCP (Skinny)
SIP
SMTP
IPsec pass-through
IPv6
VXLAN
DNS
FTP
HTTP
ICMP
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. For more information about NAT support, see
page
12-6.
For all the application inspections, the ASA limits the number of simultaneous, active data
connections to 200 connections. For example, if an FTP client opens multiple secondary
connections, the FTP inspection engine allows only 200 active connections and the 201 connection
is dropped and the adaptive security appliance generates a system error message.
Guidelines for Application Inspection
Default Inspections and NAT Limitations,
Cisco ASA Series Firewall CLI Configuration Guide
12-5
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
