Default Settings
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table 36-1
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table 36-1
Supported Application Inspection Engines
1
Application
Default Port NAT Limitations
CTIQBE
TCP/2748
DCERPC
TCP/135
DNS over UDP
UDP/53
FTP
TCP/21
GTP
UDP/3386
UDP/2123
H.323 H.225 and
TCP/1720
RAS
UDP/1718
UDP (RAS)
1718-1719
HTTP
TCP/80
ICMP
—
ICMP ERROR
—
ILS (LDAP)
TCP/389
Instant
Varies by
Messaging (IM)
client
IP Options
—
MMP
TCP 5443
MGCP
UDP/2427,
2727
NetBIOS Name
UDP/137,
Server over IP
138 (Source
ports)
PPTP
TCP/1723
RADIUS
1646
Accounting
RSH
TCP/514
Cisco ASA 5500 Series Configuration Guide using ASDM
36-4
lists all inspections supported, the default ports used in the default class map, and the
—
—
No NAT support is available for
name resolution through
WINS.
—
—
No NAT on same security
interfaces.
No static PAT.
—
—
—
No PAT.
—
—
—
—
—
—
—
No PAT
Chapter 36
Getting Started With Application Layer Protocol Inspection
2
Standards
Comments
—
—
—
—
RFC 1123
No PTR records are changed.
RFC 959
—
—
Requires a special license.
ITU-T H.323,
—
H.245, H225.0,
Q.931, Q.932
RFC 2616
Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
—
All ICMP traffic is matched in the
default class map.
—
All ICMP traffic is matched in the
default class map.
—
—
RFC 3860
—
RFC 791, RFC
All IP Options traffic is matched in the
2113
default class map.
—
—
RFC 2705bis-05 —
—
NetBIOS is supported by performing
NAT of the packets for NBNS UDP port
137 and NBDS UDP port 138.
RFC 2637
—
RFC 2865
—
Berkeley UNIX
—
OL-20339-01