42-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter42 Getting Started with Application Layer Protocol Inspectio n
Default Settings
The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled.
(The service resetinbound command is disabled by default.)
For more information, see the service command in the ASA command reference.
This behavior ensures that a reset action will reset the connections on the ASA and on inside servers;
therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by
default and information is not revealed through a TCP reset.
Default Settings
By default, the configuration includes a policy that matches all default application inspection traffic and
applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic
includes traffic to the default ports for each protocol. You can only apply one global policy, so if you
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
Table42-1 lists all inspections supported, the default ports used in the default class map, and the
inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
Table42-1 Supported Application Inspection Engines
Application1Default Port NAT Limitations Standards2Comments
CTIQBE TCP/2748 No extended PAT.
DCERPC TCP/135 ——
DNS over UDP UDP/53 No NAT support is available for
name resolution through
WINS.
RFC 1123 No PTR records are changed.
FTP TCP/21 RFC 959
GTP UDP/3386
UDP/2123
No extended PAT. Requires a special license.
H.323 H.225 and
RAS
TCP/1720
UDP/1718
UDP (RAS)
1718-1719
No NAT on same security
interfaces.
No static PAT.
No extended PAT.
ITU-T H.323,
H.245, H225.0,
Q.931, Q.932
HTTP TCP/80 RFC 2616 Beware of MTU limitations stripping
ActiveX and Java. If the MTU is too
small to allow the Java or ActiveX tag to
be included in one packet, stripping
may not occur.
ICMP All ICMP traffic is matched in the
default class map.
ICMP ERROR All ICMP traffic is matched in the
default class map.
ILS (LDAP) TCP/389 No extended PAT.
Instant
Messaging (IM)
Vari es by
client
No extended PAT. RFC 3860