2. The security appliance is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands

are supposed to be in a particular order, but the security appliance does not enforce the order.

The default policy configuration includes the following commands:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

Cisco Security Appliance Command Line Configuration Guide

25-4

—

No PAT

No PAT.

No outside NAT.

No NAT on same security

interfaces.

No outside NAT.

No NAT on same security

interfaces.

—

No NAT or PAT.

—

No NAT or PAT.

—

No NAT or PAT.

Chapter 25

Configuring Application Layer Protocol Inspection

Standards

Comments

RFC 2865

—

Berkeley UNIX

—

RFC 2326, 2327,

No handling for HTTP cloaking.

1889

RFC 2543

—

Does not handle TFTP uploaded Cisco

IP Phone configurations under certain

circumstances.

RFC 821, 1123

—

RFC 1155, 1157,

v.2 RFC 1902-1908; v.3 RFC

1212, 1213, 1215

2570-2580.

—

v.1 and v.2.

—

The default class map includes UDP

port 111; if you want to enable Sun RPC

inspection for TCP port 111, you need

to create a new class map that matches

TCP port 111, add the class to the

policy, and then apply the inspect

sunrpc command to that class.

RFC 1350

Payload IP addresses are not translated.

—

OL-10088-01

Table of Contents

Troubleshooting

This manual is also suitable for:

Pix 500 seriesCisco asa 5500 series

Cisco FirePOWER ASA 5500 series Configuration Manual page 422

Troubleshooting

Related Manuals for Cisco FirePOWER ASA 5500 series

Related Products for Cisco FirePOWER ASA 5500 series

This manual is also suitable for:

Table of Contents