12-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 12 Getting Started with Application Layer Protocol Inspection
Configure Application Layer Protocol Inspection
The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect ip-options _default_ip_options_map
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Default Inspection Policy Maps
Some inspection types use hidden default policy maps. For example, if you enable ESMTP inspection
without specifying a map, _default_esmtp_map is used.
The default inspection is described in the sections that explain each inspection type. You can view these
default maps using the show running-config all policy-map command.
DNS inspection is the only one that uses an explicitly-configured default map, preset_dns_map.
Configure Application Layer Protocol Inspection
You configure application inspection in service policies. Service policies provide a consistent and
flexible way to configure ASA features. For example, you can use a service policy to create a timeout
configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP
applications. For some applications, you can perform special actions when you enable inspection. See
XDMCP UDP/177 No extended PAT.
No NAT64.
(Clustering) No static PAT.
——
VXLAN UDP/4789 Not applicable RFC 7348 Virtual Extensible Local Area Network.
Table 12-1 Supported Application Inspection Engines (continued)
Application Default Port NAT Limitations Standards Comments
To Next Page
Loading...
Need help?
General