Application Inspection
This chapter covers the following topics:
- Introduction to application inspection
- Enabling application inspection using the Modular Policy CLI
- Detailed information on the supported protocols and applications, such as HTTP, ESMTP, FTP, and H.323
This chapter describes how to use and configure application inspection on the Cisco ASA. The Cisco ASA mechanisms used for stateful application inspection enforce the secure use of applications and services in your network. The stateful inspection engine keeps information about each connection traversing through the security appliance's interfaces and makes sure they are valid. Stateful application inspection examines not only the packet header, but also the contents of the packet up through the application layer.
Several applications require special handling of data packets when they pass through the Layer 3 devices. These include applications and protocols that embed IP addressing information in the data payload of the packet or open secondary channels on dynamically assigned ports. The Cisco ASA application inspection mechanisms recognize the embedded addressing information, which allows Network Address Translation (NAT) to work and update any other fields or checksums.
Using application inspection, the Cisco ASA can identify the dynamic port assignments and allow data exchange on these ports during a specific connection. The application inspection capabilities are similar to the traditional fixup protocol functionality on the Cisco PIX firewalls. However, the Cisco ASA software dramatically enhances the capabilities of application inspection.
Table 8-1 lists all the applications and protocols supported by Cisco ASA. It also includes a list of the corresponding source and destination ports they use.
Protocol Name |
Protocol |
Source Port |
Destination Port |
---|---|---|---|
CTIQBE |
TCP |
Any |
2748 |
DNS |
UDP |
Any |
53 |
FTP |
TCP |
Any |
21 |
GTP |
UDP |
2123, 3386 |
2123, 3386 |
H.323 H225 |
TCP |
Any |
1720 |
H.323 RAS |
UDP |
Any |
17181719 |
HTTP |
TCP |
Any |
80 |
ICMP |
ICMP |
||
ILS |
TCP |
Any |
389 |
MGCP |
UDP |
2427, 2727 |
2427, 2727 |
NetBIOS |
UDP |
Any |
137138 |
SUNRPC |
UDP |
Any |
111 |
RSH |
TCP |
Any |
514 |
RTSP |
TCP |
Any |
554 |
SIP |
TCP, UDP |
Any |
5060 |
Skinny |
TCP |
Any |
2000 |
SMTP/ESMTP |
TCP |
Any |
25 |
SQLNet |
TCP |
Any |
1521 |
TFTP |
UDP |
Any |
69 |
XDMCP |
UDP |
Any |
177 |
The following sections include thorough information on how to enable application inspection and details about these applications and protocols.
Note
Certain protocol inspection requires a separate license. An example is GTP. More licensing information can be found at http://www.cisco.com/go/asa.