42-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter42 Getting Started with Application Layer Protocol Inspection
Guidelines and Limitations
When you enable application inspection for a service that embeds IP addresses, the ASA translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
When you enable application inspection for a service that uses dynamically assigned ports, the ASA
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Failover Guidelines
State information for multimedia sessions that require inspection are not passed over the state link for
stateful failover. The exception is GTP, which is replicated over the state link.
IPv6 Guidelines
Supports IPv6 for the following inspections:
FTP
HTTP
ICMP
SIP
SMTP
IPsec pass-through
Additional Guidelines and Limitations
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. See “Default Settings” for more information about NAT support.
For all the application inspections, the adaptive security appliance limits the number of simultaneous,
active data connections to 200 connections. For example, if an FTP client opens multiple secondary
connections, the FTP inspection engine allows only 200 active connections and the 201 connection is
dropped and the adaptive security appliance generates a system error message.
Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these connections
is not automatically replicated. While these connections are replicated to the standby unit, there is a
best-effort attempt to re-establish a TCP state.
Inspection Reset Behavior
When you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA
sends a TCP reset under the following conditions:
The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled.
(The service resetoutbound command is disabled by default.)