Cisco ASA 5505 Configuration Manual page 781

Asa 5500 series

Hide thumbs Also See for ASA 5505:

Getting started manual (168 pages)

Administrator's manual (118 pages)

Hardware installation manual (82 pages)

Table of Contents

Getting Started With Application Layer Protocol Inspection

If you use applications like these, then you need to enable application inspection.

When you enable application inspection for a service that embeds IP addresses, the adaptive security

appliance translates embedded addresses and updates any checksum or other fields that are affected by

the translation.

When you enable application inspection for a service that uses dynamically assigned ports, the adaptive

security appliance monitors sessions to identify the dynamic port assignments, and permits data

exchange on these ports for the duration of the specific session.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

Failover Guidelines

State information for multimedia sessions that require inspection are not passed over the state link for

stateful failover. The exception is GTP, which is replicated over the state link.

IPv6 Guidelines

Supports IPv6 for the following inspections:

Additional Guidelines and Limitations

Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security

interfaces. See

For all the application inspections, the adaptive security appliance limits the number of simultaneous,

active data connections to 200 connections. For example, if an FTP client opens multiple secondary

connections, the FTP inspection engine allows only 200 active connections and the 201 connection is

dropped and the adaptive security appliance generates a system error message.

Default Settings

By default, the configuration includes a policy that matches all default application inspection traffic and

applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic

includes traffic to the default ports for each protocol. You can only apply one global policy, so if you

IPSec pass-through

"Default Settings"

for more information about NAT support.

Cisco ASA 5500 Series Configuration Guide using ASDM

Guidelines and Limitations

Show Quick Links

Chapters

Table of Contents

Asa 5510 Asa 5540 Asa 5520 Asa 5550 Asa 5580

Cisco ASA 5505 Configuration Manual page 781

Hide quick links:

Chapters

Related Manuals for Cisco ASA 5505

Related Products for Cisco ASA 5505

This manual is also suitable for:

Table of Contents