Inspection Limitations; Inspection Support - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Inspection Engine Overview
When you enable application inspection for a service that uses dynamically assigned ports, the FWSM
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.
Inspection Limitations
See the following limitations for application protocol inspection:
•
•
•
•
•
•
Inspection Support
Table 13-1
with Network Address Translation (NAT), Port Address Translation (PAT), outside NAT, or NAT
between same security interfaces. If a inspection engine does not support outside NAT, consider using
the alias command instead of outside NAT. See the Catalyst 6500 Series Switch and Cisco 7600 Series
Router Firewall Services Module Command Reference for more information about the alias command.
Inspection engines that are enabled for the default port by default are in bold.
Table 13-1 Inspection Engine Support
1
Application
Configurable Default Port
CUSeeMe
No
DNS over
Yes
UDP
FTP
Yes
H.323 H.225
Yes
and RAS
HTTP
Yes
ICMP
Yes
ICMP error
Yes
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
13-2
You can configure up to 32 inspection engines per context. This limit includes the following
inspection engines that are enabled by default, making the total number of configurable inspection
engines 27: TFTP, Sun RPC over UDP, NetBIOS NameServer, XDMCP, and CUSeeMe. The
OraServ and RealAudio inspection engines, which are also enabled by default, do not affect this
limit.
State information for multimedia sessions that require inspection are not passed over the state link
for stateful failover.
For fragmented IP packets, only the first fragment is inspected.
For segmented TCP packets, if messages are divided between segments, the FWSM cannot inspect
the packets.
Some inspection engines do not support PAT, NAT, policy NAT, outside NAT, or NAT between same
security interfaces. See
"Inspection Support"
DNS fixups are limited to 4000 per second.
describes the inspection engines supported by the FWSM and whether they are compatible
NAT Limitations
UDP/7648
No NAT or PAT. Use NAT
identity or NAT exemption only.
UDP/53
No NAT support is available for
name resolution through WINS.
TCP/21
—
TCP/1720
No outside NAT. Use the alias
command.
UDP/1718-1719
No NAT on same security
interfaces.
TCP/80
—
—
—
—
—
Chapter 13
Configuring Application Protocol Inspection
for more information about NAT support.
Comments
—
No PTR records are
changed.
—
Does not support
segmented messages.
—
—
—
2
Standards
—
RFC 1123
RFC 1123
ITU-T H.323,
H.245, H225.0,
Q.931, Q.932
RFC 2616
—
—
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
