Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 271

    Page 271 10-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations ICMP ERROR — — —— ILS (LDAP) TCP/389 No extended PAT. No NAT64.—— Instant Messaging (IM)Varies by clientNo extended PAT. No NAT64.RFC 3860 — IP Options— No NAT64. RFC 791, RFC 2113— IPsec Pass ThroughUDP/500 No PAT. No NAT64.—— IPv6 — No NAT64. RFC 2460 — MGCP UDP/2427, 2727No extended PAT. No NAT64. (Clustering) No static... 
     
10-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 10      Getting Started with Application Layer Protocol Inspection
  Default Settings and NAT Limitations
ICMP ERROR — — ——
ILS (LDAP) TCP/389 No extended PAT.
No NAT64.——
Instant 
Messaging (IM)Varies by 
clientNo extended PAT.
No NAT64.RFC 3860 —
IP Options— No NAT64. RFC 791, RFC 
2113—
IPsec Pass 
ThroughUDP/500 No PAT.
No NAT64.——
IPv6 — No NAT64. RFC 2460 —
MGCP UDP/2427, 
2727No extended PAT.
No NAT64.
(Clustering) No static...

    Page 272

    Page 272 10-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations SIPTCP/5060 UDP/5060No outside NAT. No NAT on same security interfaces. No extended PAT. No per-session PAT. No NAT64. (Clustering) No static PAT.RFC 2543 — SKINNY (SCCP)TCP/2000 No outside NAT. No NAT on same security interfaces. No extended PAT. No per-session PAT. No NAT64. (Clustering) No static PAT.— Does not handle TFTP... 
     
10-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 10      Getting Started with Application Layer Protocol Inspection
  Default Settings and NAT Limitations
SIPTCP/5060
UDP/5060No outside NAT.
No NAT on same security 
interfaces.
No extended PAT.
No per-session PAT.
No NAT64.
(Clustering) No static PAT.RFC 2543 —
SKINNY 
(SCCP)TCP/2000 No outside NAT.
No NAT on same security 
interfaces.
No extended PAT.
No per-session PAT.
No NAT64.
(Clustering) No static PAT.— Does not handle TFTP...

    Page 273

    Page 273 10-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection This feature uses Security Policy Rules to create a service policy. Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP... 
     
10-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 10      Getting Started with Application Layer Protocol Inspection
  Configuring Application Layer Protocol Inspection
Configuring Application Layer Protocol Inspection
This feature uses Security Policy Rules to create a service policy. Service policies provide a consistent 
and flexible way to configure ASA features. For example, you can use a service policy to create a timeout 
configuration that is specific to a particular TCP...

    Page 274

    Page 274 10-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection 
     
10-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 10      Getting Started with Application Layer Protocol Inspection
  Configuring Application Layer Protocol Inspection

    Page 275

    Page 275 CH A P T E R 11-1 Cisco ASA Series Firewall ASDM Configuration Guide 11 Configuring Inspection of Basic Internet Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result,... 
    CH A P T E R
 
11-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
11
Configuring Inspection of Basic Internet 
Protocols
This chapter describes how to configure application layer protocol inspection. Inspection engines are 
required for services that embed IP addressing information in the user data packet or that open secondary 
channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection 
instead of passing the packet through the fast path. As a result,...

    Page 276

    Page 276 11-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Configuring DNS Inspection, page 11-16 Information About DNS Inspection General Information About DNS, page 11-2 DNS Inspection Actions, page 11-2 General Information About DNS A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address,... 
     
11-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Configuring DNS Inspection, page 11-16
Information About DNS Inspection
General Information About DNS, page 11-2
DNS Inspection Actions, page 11-2
General Information About DNS
A single connection is created for multiple DNS sessions, as long as they are between the same two 
hosts, and the sessions have the same 5-tuple (source/destination IP address,...

    Page 277

    Page 277 11-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map To match DNS packets with certain characteristics and perform special actions, create a DNS inspection policy map. You can also configure a DNS inspection class map to group multiple match criteria for reference within the inspection policy map. You can then apply the inspection policy map when... 
     
11-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
(Optional) Configuring a DNS Inspection Policy Map and Class Map
To match DNS packets with certain characteristics and perform special actions, create a DNS inspection 
policy map. You can also configure a DNS inspection class map to group multiple match criteria for 
reference within the inspection policy map. You can then apply the inspection policy map when...

    Page 278

    Page 278 11-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection To use one of the preset security levels (Low, Medium, or High), drag the Security Level knob, then click OK to add the inspection policy map. You can skip the rest of this procedure. To customize each parameter and/or to configure packet matching inspection, click Details. Detailed Steps—Protocol Conformance Step 1Configure the following Protocol Conformance... 
     
11-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
To use one of the preset security levels (Low, Medium, or High), drag the Security Level knob, then 
click OK to add the inspection policy map. You can skip the rest of this procedure.
To customize each parameter and/or to configure packet matching inspection, click Details.
Detailed Steps—Protocol Conformance
Step 1Configure the following Protocol Conformance...

    Page 279

    Page 279 11-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Detailed Steps—Filtering Step 1Click the Filtering tab. Step 2Global Settings: Drop packets that exceed specified maximum length (global)—Sets the maximum DNS message length, from 512 to 65535 bytes. Step 3Server Settings: Drop packets that exceed specified maximum length and Drop packets sent to server that exceed length indicated by the RR—Sets the maximum... 
     
11-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Detailed Steps—Filtering
Step 1Click the Filtering tab.
Step 2Global Settings: Drop packets that exceed specified maximum length (global)—Sets the maximum 
DNS message length, from 512 to 65535 bytes.
Step 3Server Settings: Drop packets that exceed specified maximum length and Drop packets sent to 
server that exceed length indicated by the RR—Sets the maximum...

    Page 280

    Page 280 11-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 2Enable logging when DNS ID mismatch rate exceeds specified rate—Enables logging for excessive DNS ID mismatches, where the Mismatch Instance Threshold and Time Interval fields specify the maximum number of mismatch instances per x seconds before a system message log is sent. Detailed Steps—Inspections Step 1Click the Inspections tab. 
     
11-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Step 2Enable logging when DNS ID mismatch rate exceeds specified rate—Enables logging for excessive 
DNS ID mismatches, where the Mismatch Instance Threshold and Time Interval fields specify the 
maximum number of mismatch instances per x seconds before a system message log is sent.
Detailed Steps—Inspections
Step 1Click the Inspections tab.
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals