beautypg.com

Cisco ASA 5505 User Manual

Page 869

background image

42-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 42 Getting Started with Application Layer Protocol Inspection

Default Settings

The default policy configuration includes the following commands:

IP Options

RFC 791, RFC
2113

All IP Options traffic is matched in the
default class map.

MGCP

UDP/2427,
2727

No extended PAT.

RFC 2705bis-05

MMP

TCP 5443

No extended PAT.

NetBIOS Name
Server over IP

UDP/137,
138 (Source
ports)

No extended PAT.

NetBIOS is supported by performing
NAT of the packets for NBNS UDP port
137 and NBDS UDP port 138.

PPTP

TCP/1723

RFC 2637

RADIUS
Accounting

1646

RFC 2865

RSH

TCP/514

No PAT

Berkeley UNIX

RTSP

TCP/554

No extended PAT.

No outside NAT.

RFC 2326, 2327,
1889

No handling for HTTP cloaking.

SIP

TCP/5060
UDP/5060

No outside NAT.

No NAT on same security
interfaces.

No extended PAT.

RFC 2543

SKINNY
(SCCP)

TCP/2000

No outside NAT.

No NAT on same security
interfaces.

No extended PAT.

Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.

SMTP and
ESMTP

TCP/25

RFC 821, 1123

SNMP

UDP/161,
162

No NAT or PAT.

RFC 1155, 1157,
1212, 1213, 1215

v.2 RFC 1902-1908; v.3 RFC
2570-2580.

SQL*Net

TCP/1521

No extended PAT.

v.1 and v.2.

Sun RPC over
UDP and TCP

UDP/111

No extended PAT.

The default rule includes UDP port 111;
if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new rule that matches TCP
port 111 and performs Sun RPC
inspection.

TFTP

UDP/69

RFC 1350

Payload IP addresses are not translated.

WAAS

No extended PAT.

XDCMP

UDP/177

No extended PAT.

1.

Inspection engines that are enabled by default for the default port are in bold.

2.

The ASA is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed
to be in a particular order, but the ASA does not enforce the order.

Table 42-1

Supported Application Inspection Engines (continued)

Application

1

Default Port NAT Limitations

Standards

2

Comments

This manual is related to the following products:
See also other documents in the category Cisco Hardware: