Default settings, Default settings” section on, For a l – Cisco ASA 5505 User Manual

Page 868

Advertising

42-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 42 Getting Started with Application Layer Protocol Inspection

Default Settings

•

The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled.
(The service resetinbound command is disabled by default.)

For more information, see the service command in the ASA command reference.

This behavior ensures that a reset action will reset the connections on the ASA and on inside servers;
therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by
default and information is not revealed through a TCP reset.

Default Settings

By default, the configuration includes a policy that matches all default application inspection traffic and
applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic
includes traffic to the default ports for each protocol. You can only apply one global policy, so if you
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.

Table 42-1

lists all inspections supported, the default ports used in the default class map, and the

inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.

Table 42-1

Supported Application Inspection Engines

Application

Default Port NAT Limitations

Standards

Comments

CTIQBE

TCP/2748

No extended PAT.

—

DCERPC

TCP/135

—

DNS over UDP

UDP/53

No NAT support is available for
name resolution through
WINS.

RFC 1123

No PTR records are changed.

FTP

TCP/21

—

RFC 959

—

GTP

UDP/3386
UDP/2123

No extended PAT.

—

Requires a special license.

H.323 H.225 and
RAS

TCP/1720
UDP/1718
UDP (RAS)
1718-1719

No NAT on same security
interfaces.

No static PAT.

No extended PAT.

ITU-T H.323,
H.245, H225.0,
Q.931, Q.932

—

HTTP

TCP/80

—

RFC 2616

Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.

ICMP

—

All ICMP traffic is matched in the
default class map.

ICMP ERROR

—

All ICMP traffic is matched in the
default class map.

ILS (LDAP)

TCP/389

No extended PAT.

—

Instant
Messaging (IM)

Varies by
client

No extended PAT.

RFC 3860

—

Advertising

This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands

Popular manuals