Configuring Application Inspection - Cisco 7604 Configuration Manual

Configuring Application Inspection

Table 22-1 Supported Application Inspection Engines (continued)
1
Application Default Port NAT Limitations
SNMP UDP/161,
162
SQL*Net TCP/1521
SunRPC UDP/111
TCP/111
TFTP TCP/69
UDP/69
WAAS TCP
XDCMP UDP/177
1. Inspection engines that are enabled by default for the default port are in bold.
2. The FWSM is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are
supposed to be in a particular order, but the FWSM does not enforce the order.
The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
Configuring Application Inspection
This feature uses Modular Policy Framework, so that implementing application inspection consists of
the following:
1.
2.
3.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-6
No NAT or PAT.
—
No PAT.
Payload not NATed.
Payload not NATed.
—
No NAT or PAT.
Identifying traffic.
Applying inspections to the traffic.
For some applications, you can perform special actions when you enable inspection.
Activating inspections on an interface.
Chapter 22 Applying Application Layer Protocol Inspection
2
Standards Comments
RFC 1155, 1157, v.2 RFC 1902-1908; v.3 RFC
1212, 1213, 1215 2570-2580.
— v.1 and v.2.
— The default class map includes UDP
port 111; if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new class map that matches
TCP port 111, add the class to the
policy, and then apply the inspect
sunrpc command to that class.
RFC 1530 —
— Enables the TCP option 33 parsing.
— —
OL-20748-01