Cisco ASA 5505 Configuration Manual page 782

Default Settings
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table 36-1
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table 36-1 Supported Application Inspection Engines
1
Application Default Port NAT Limitations
CTIQBE TCP/2748
DCERPC TCP/135
DNS over UDP UDP/53
FTP TCP/21
GTP UDP/3386
UDP/2123
H.323 H.225 and TCP/1720
RAS UDP/1718
UDP (RAS)
1718-1719
HTTP TCP/80
ICMP —
ICMP ERROR —
ILS (LDAP) TCP/389
Instant Varies by
Messaging (IM) client
IP Options —
MMP TCP 5443
MGCP UDP/2427,
2727
NetBIOS Name UDP/137,
Server over IP 138 (Source
ports)
PPTP TCP/1723
RADIUS 1646
Accounting
RSH TCP/514
Cisco ASA 5500 Series Configuration Guide using ASDM
36-4
lists all inspections supported, the default ports used in the default class map, and the
—
—
No NAT support is available for
name resolution through
WINS.
—
—
No NAT on same security
interfaces.
No static PAT.
—
—
—
No PAT.
—
—
—
—
—
—
—
No PAT
Chapter 36 Getting Started With Application Layer Protocol Inspection
2
Standards Comments
— —
— —
RFC 1123 No PTR records are changed.
RFC 959 —
— Requires a special license.
ITU-T H.323, —
H.245, H225.0,
Q.931, Q.932
RFC 2616 Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
— All ICMP traffic is matched in the
default class map.
— All ICMP traffic is matched in the
default class map.
— —
RFC 3860 —
RFC 791, RFC All IP Options traffic is matched in the
2113 default class map.
— —
RFC 2705bis-05 —
— NetBIOS is supported by performing
NAT of the packets for NBNS UDP port
137 and NBDS UDP port 138.
RFC 2637 —
RFC 2865 —
Berkeley UNIX —
OL-20339-01