Application Inspection

This chapter covers the following topics:

This chapter describes how to use and configure application inspection on the Cisco ASA. The Cisco ASA mechanisms used for stateful application inspection enforce the secure use of applications and services in your network. The stateful inspection engine keeps information about each connection traversing through the security appliance's interfaces and makes sure they are valid. Stateful application inspection examines not only the packet header, but also the contents of the packet up through the application layer.

Several applications require special handling of data packets when they pass through the Layer 3 devices. These include applications and protocols that embed IP addressing information in the data payload of the packet or open secondary channels on dynamically assigned ports. The Cisco ASA application inspection mechanisms recognize the embedded addressing information, which allows Network Address Translation (NAT) to work and update any other fields or checksums.

Using application inspection, the Cisco ASA can identify the dynamic port assignments and allow data exchange on these ports during a specific connection. The application inspection capabilities are similar to the traditional fixup protocol functionality on the Cisco PIX firewalls. However, the Cisco ASA software dramatically enhances the capabilities of application inspection.

Table 8-1 lists all the applications and protocols supported by Cisco ASA. It also includes a list of the corresponding source and destination ports they use.

Table 8-1. Supported Applications and Protocols

Protocol Name

Protocol

Source Port

Destination Port

CTIQBE

TCP

Any

2748

DNS

UDP

Any

53

FTP

TCP

Any

21

GTP

UDP

2123, 3386

2123, 3386

H.323 H225

TCP

Any

1720

H.323 RAS

UDP

Any

17181719

HTTP

TCP

Any

80

ICMP

ICMP

ILS

TCP

Any

389

MGCP

UDP

2427, 2727

2427, 2727

NetBIOS

UDP

Any

137138

SUNRPC

UDP

Any

111

RSH

TCP

Any

514

RTSP

TCP

Any

554

SIP

TCP, UDP

Any

5060

Skinny

TCP

Any

2000

SMTP/ESMTP

TCP

Any

25

SQLNet

TCP

Any

1521

TFTP

UDP

Any

69

XDMCP

UDP

Any

177

The following sections include thorough information on how to enable application inspection and details about these applications and protocols.

Note

Certain protocol inspection requires a separate license. An example is GTP. More licensing information can be found at http://www.cisco.com/go/asa.

Категории