Chapter 13
Configuring Application Protocol Inspection
Table 13-1 Inspection Engine Support (continued)
1
Application
Configurable Default Port
ILS (LDAP)
Yes
MGCP
Yes
NetBIOS
No
Name Server
over IP
OraServ
No
RealAudio
No
RSH
Yes
RTSP
Yes
SIP TCP
Yes
SIP UDP
Yes
SKINNY
Yes
(SCCP)
SMTP
Yes
SQL*Net
Yes
Sun RPC
No
over UDP
Sun RPC
Yes
over TCP
TFTP
No
XDMCP
No
1. Inspection engines that are enabled by default for the default port are in bold.
2. The FWSM is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are
supposed to be in a particular order, but the FWSM does not enforce the order.
OL-6392-01
NAT Limitations
TCP/389
No outside NAT. Use the alias
command.
No PAT.
UDP/2427,
No NAT or PAT. Use NAT
2727
identity or NAT exemption only.
UDP/137-138
—
UDP/1525
—
UDP/7070
—
TCP/514
No PAT.
TCP/554
No PAT.
No outside NAT. Use the alias
command.
TCP/5060
No outside NAT. Use the alias
command.
No NAT on same security
interfaces.
UDP/5060
No outside NAT. Use the alias
command.
No NAT on same security
interfaces.
TCP/2000
No outside NAT. Use the alias
command.
No NAT on same security
interfaces.
TCP/25
—
TCP/1521 (v1)
No policy NAT.
UDP/111
No NAT or PAT. Use NAT
identity or NAT exemption only.
TCP/111
No NAT or PAT. Use NAT
identity or NAT exemption only.
UDP/69
Payload IP address not
translated.
UDP/177
No NAT or PAT. Use NAT
identity or NAT exemption only.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Inspection Engine Overview
Comments
Standards
—
—
—
RFC2705bis-05
—
—
—
—
—
Berkeley UNIX
No handling for HTTP
RFC 2326, RFC
cloaking.
2327, RFC 1889
—
RFC 2543
—
RFC 2543
Does not handle TFTP
—
uploaded Cisco IP
Phone configurations.
—
RFC 821, 1123
v1 and v2.
—
—
—
—
—
—
RFC 1350
—
—
2
13-3