Inspection Limitations; Default Inspection Policy - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
Inspection Limitations
See the following limitations for application protocol inspection:
•
•
Default Inspection Policy
By default, the configuration includes a policy that matches all default application inspection traffic and
applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic
includes traffic to the default ports for each protocol. You can only apply one global policy, so if you
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table 25-1
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table 25-1
Supported Application Inspection Engines
1
Application
Default Port NAT Limitations
CTIQBE
TCP/2748
DNS over UDP
UDP/53
FTP
TCP/21
GTP
UDP/3386
UDP/2123
H.323 H.225 and
TCP/1720
RAS
UDP/1718
UDP (RAS)
1718-1719
HTTP
TCP/80
ICMP
—
ICMP ERROR
—
ILS (LDAP)
TCP/389
MGCP
UDP/2427,
2727
OL-12172-03
State information for multimedia sessions that require inspection are not passed over the state link
for stateful failover. The exception is GTP, which is replicated over the state link.
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. See
"Default Inspection Policy"
lists all inspections supported, the default ports used in the default class map, and the
—
No NAT support is available for
name resolution through
WINS.
—
—
No NAT on same security
interfaces.
No static PAT.
—
—
—
No PAT.
—
for more information about NAT support.
2
Standards
Comments
—
—
RFC 1123
No PTR records are changed.
RFC 959
—
—
Requires a special license.
ITU-T H.323,
—
H.245, H225.0,
Q.931, Q.932
RFC 2616
Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
—
All ICMP traffic is matched in the
default class map.
—
All ICMP traffic is matched in the
default class map.
—
—
RFC 2705bis-05 —
Cisco Security Appliance Command Line Configuration Guide
Inspection Engine Overview
25-3
Advertisement
Table of Contents
Troubleshooting
