Cisco Systems and the ASA Services Module Manual De Usuario

9-3

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 9 Getting Started with Application Layer Protocol Inspection

Guidelines and Limitations

When you enable application inspection for a service that embeds IP addresses, the ASA translates
embedded addresses and updates any checksum or other fields that are affected by the translation.

When you enable application inspection for a service that uses dynamically assigned ports, the ASA
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

Failover Guidelines

State information for multimedia sessions that require inspection are not passed over the state link for
stateful failover. The exception is GTP, which is replicated over the state link.

IPv6 Guidelines

Supports IPv6 for the following inspections:

•

DNS

•

FTP

•

HTTP

•

ICMP

•

SIP

•

SMTP

•

IPsec pass-through

•

IPv6

Supports NAT64 for the following inspections:

•

DNS

•

FTP

•

HTTP

•

ICMP

Additional Guidelines and Limitations

Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security
interfaces. See

“Default Settings and NAT Limitations”

for more information about NAT support.

For all the application inspections, the ASA limits the number of simultaneous, active data connections
to 200 connections. For example, if an FTP client opens multiple secondary connections, the FTP
inspection engine allows only 200 active connections and the 201 connection is dropped and the adaptive
security appliance generates a system error message.