Cisco ASA 5505 Configuration Manual page 783
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 36
Getting Started With Application Layer Protocol Inspection
Table 36-1
Supported Application Inspection Engines (continued)
1
Application
Default Port NAT Limitations
RTSP
TCP/554
SIP
TCP/5060
UDP/5060
SKINNY
TCP/2000
(SCCP)
SMTP and
TCP/25
ESMTP
SNMP
UDP/161,
162
SQL*Net
TCP/1521
Sun RPC over
UDP/111
UDP and TCP
TFTP
UDP/69
WAAS
—
XDCMP
UDP/177
1. Inspection engines that are enabled by default for the default port are in bold.
2. The adaptive security appliance is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP
commands are supposed to be in a particular order, but the adaptive security appliance does not enforce the order.
Configuring Application Layer Protocol Inspection
This feature uses Security Policy Rules to create a service policy. Service policies provide a consistent
and flexible way to configure adaptive security appliance features. For example, you can use a service
policy to create a timeout configuration that is specific to a particular TCP application, as opposed to
one that applies to all TCP applications. See
information.
Inspection is enabled by default for some applications. See the
information. Use this section to modify your inspection policy.
Detailed Steps
Choose Configuration > Firewall > Service Policy Rules.
Step 1
Add or edit a service policy rule according to the
Step 2
section on page
OL-20339-01
No PAT.
No outside NAT.
No outside NAT.
No NAT on same security
interfaces.
No outside NAT.
No NAT on same security
interfaces.
—
No NAT or PAT.
—
No NAT or PAT.
—
—
No NAT or PAT.
29-8.
Configuring Application Layer Protocol Inspection
2
Standards
Comments
RFC 2326, 2327,
No handling for HTTP cloaking.
1889
RFC 2543
—
—
Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.
RFC 821, 1123
—
RFC 1155, 1157,
v.2 RFC 1902-1908; v.3 RFC
1212, 1213, 1215
2570-2580.
—
v.1 and v.2.
—
The default rule includes UDP port 111;
if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new rule that matches TCP
port 111 and performs Sun RPC
inspection.
RFC 1350
Payload IP addresses are not translated.
—
—
—
—
Chapter 29, "Configuring a Service Policy,"
"Default Settings"
"Adding a Service Policy Rule for Through Traffic"
Cisco ASA 5500 Series Configuration Guide using ASDM
for more
section for more
36-5
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
