Disable the default inspection engines only at the direction of
Cisco Technical Support, or if you are certain that the associated types of
traffic do not occur on your network. For example, if you block all traffic on
an inspected port, you can safely disable inspection on that port. These
inspections are applied to all data interfaces.
These inspection engines are separate from Snort inspection.
These engines provide the following services:
You can disable, and subsequently enable, the following
inspection engines. To see what is currently enabled, use the
policy-map command and look for the
commands. To see details of the default parameters for each inspection, use the
show running-config all
dcerpc —(TCP port 135.) Distributed Computing
Environment/Remote Procedure Calls. The DCERPC inspection engine inspects for
native TCP communication between the Endpoint Mapper (EPM) and client on well
known TCP port 135. Microsoft Remote Procedure Call (MSRPC), based on DCERPC,
is a protocol widely used by Microsoft distributed client and server
applications that allows software clients to execute programs on a server
remotely. Inspection provides pinhole creation and NAT services.
dns —(UDP port 53.) Domain Name System. DNS is
inspected on UDP port 53. Inspection provides NAT services and protocol
enforcement. You must enable this inspection engine to use the NAT rewrite
option on NAT rules. NAT rewrite is frequently required when doing NAT between
IPv4 and IPv6 networks (NAT64/46).
esmtp —(TCP port 25.) Extended Simple Mail Transfer
Protocol. ESMTP inspection detects attacks, including spam, phising, malformed
message attacks, and buffer overflow/underflow attacks. It also provides
support for application security and protocol conformance, which enforces the
sanity of the ESMTP messages as well as block senders/receivers, and block mail
relay. For details on the controls applied during inspection, use the
running-config all policy-map command and look for the
“policy-map type inspect esmtp _default_esmtp_map” line and subsequent
ESMTP application inspection controls and reduces the commands
that the user can use as well as the messages that the server returns. It
provides NAT services and protocol conformance. ESMTP inspection performs three
Restricts SMTP requests to seven basic SMTP commands and eight
extended commands. Supported commands are the following:
Extended SMTP—AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML,
STARTTLS, and VRFY.
SMTP (RFC 821)—DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET.
Monitors the SMTP command-response sequence.
Generates an audit trail. Syslog audit record 108002 is
generated when an invalid character embedded in the mail address is replaced.
For more information, see RFC 821.
ftp —(TCP port 21.) File Transfer Protocol.
Inspection provides pinhole and NAT services.
h323_h225 —(TCP port 1720, UDP port 1718.) H.323
inspection supports RAS, H.225, and H.245, and its functionality translates all
embedded IP addresses and ports. It performs state tracking and filtering.
H.323 inspection provides support for H.323 compliant applications such as
Cisco CallManager. H.323 is a suite of protocols defined by the International
Telecommunication Union for multimedia conferences over LANs. The device
supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on
One Call Signaling Channel.
The two major functions of H.323 inspection are as follows:
NAT the necessary embedded IPv4 addresses in the H.225 and H.245
messages. Because H.323 messages are encoded in PER encoding format, the ASA
uses an ASN.1 decoder to decode the H.323 messages.
Dynamically allocate the negotiated H.245 and RTP/RTCP
connections. The H.225 connection can also be dynamically allocated when using
h323_ras —(UDP ports 1718-1719.) See the
h323_h225 . This inspection is for RAS signaling.
icmp —(ICMP traffic only.) The ICMP inspection
engine allows ICMP traffic to have a “session” so it can be inspected like TCP
and UDP traffic. Without the ICMP inspection engine, we recommend that you do
not allow ICMP through the device (block with an access control rule). Without
stateful inspection, ICMP can be used to attack your network. The ICMP
inspection engine ensures that there is only one response for each request, and
that the sequence number is correct. Inspection also provides NAT services.
icmp_error —(ICMP traffic only.) When ICMP Error
inspection is enabled, the device creates translation sessions for intermediate
hops that send ICMP error messages, based on the NAT configuration. The device
overwrites the packet with the translated IP addresses. This is necessary to
provide meaningful information in traceroutes that go through the device.
ip-options —(RSVP traffic only.) IP Options
inspection controls which IP packets are allowed based on the contents of the
IP Options field in the packet header. Packets with the Router Alert option are
allowed. Packets with any other options are dropped.
netbios —(UDP source ports 137, 138.) NetBIOS Name
Server over IP. NetBIOS application inspection performs NAT for the embedded IP
address in the NetBIOS name service (NBNS) packets and NetBIOS datagram
services packets. It also enforces protocol conformance, checking the various
count and length fields for consistency.
rsh —(TCP port 514.) The RSH protocol uses a TCP
connection from the RSH client to the RSH server on TCP port 514. The client
and server negotiate the TCP port number where the client listens for the
STDERR output stream. RSH inspection opens pinholes and supports NAT of the
negotiated port number if necessary.
rtsp —(TCP port 554.) Real-Time Streaming Protocol.
The RTSP inspection engine lets the device pass RTSP packets. RTSP is used by
RealAudio, RealNetworks, Apple QuickTime, RealPlayer, and Cisco IP/TV
connections. RTSP applications use the well-known port 554 with TCP (rarely
UDP) as a control channel. The device only supports TCP, in conformity with RFC
2326. This TCP control channel is used to negotiate the data channels that are
used to transmit audio/video traffic, depending on the transport mode that is
configured on the client. The supported RDT transports are: rtp/avp,
rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp.
sqlnet —(TCP port 1521.) The inspection engine
supports SQL*Net versions 1 and 2, but only the Transparent Network Substrate
(TNS) format. Inspection does not support the Tabular Data Stream (TDS) format.
SQL*Net messages are scanned for embedded addresses and ports, and NAT rewrite
is applied when necessary.
Disable SQL*Net inspection when SQL data transfer occurs on the
same port as the SQL control TCP port 1521. The security appliance acts as a
proxy when SQL*Net inspection is enabled and reduces the client window size
from 65000 to about 16000 causing data transfer issues.
sip —(TCP/UDP port 5060.) Session Initiation
Protocol. SIP is a widely used protocol for Internet conferencing, telephony,
presence, events notification, and instant messaging. Partially because of its
text-based nature and partially because of its flexibility, SIP networks are
subject to a large number of security threats. SIP application inspection
provides address translation in message header and body, dynamic opening of
ports and basic sanity checks.
skinny —(TCP port 2000.) Skinny Client Control
Protocol (SCCP). SCCP (Skinny) application inspection performs translation of
embedded IP address and port numbers within the packet data, and dynamic
opening of pinholes. It also performs additional protocol conformance checks
and basic state tracking.
sunrpc —(TCP/UDP port 111.) Sun RPC is used by NFS
and NIS. Sun RPC services can run on any port. When a client attempts to access
a Sun RPC service on a server, it must learn the port that service is running
on. It does this by querying the port mapper process, usually rpcbind, on the
well-known port of 111.
The client sends the Sun RPC program number of the service and
the port mapper process responds with the port number of the service. The
client sends its Sun RPC queries to the server, specifying the port identified
by the port mapper process. When the server replies, the device intercepts this
packet and opens both embryonic TCP and UDP connections on that port. NAT or
PAT of Sun RPC payload information is not supported.
tftp —(UDP port 69.) Trivial File Transfer
Protocol. The inspection engine inspects TFTP read request (RRQ), write request
(WRQ), and error notification (ERROR), and dynamically creates connections and
translations, if necessary, to permit file transfer between a TFTP client and
A dynamic secondary channel and a PAT translation, if necessary,
are allocated on a reception of a valid read (RRQ) or write (WRQ) request. This
secondary channel is subsequently used by TFTP for file transfer or error
notification. Only the TFTP server can initiate traffic over the secondary
channel, and at most one incomplete secondary channel can exist between the
TFTP client and server. An error notification from the server closes the
secondary channel. TFTP inspection must be enabled if static PAT is used to
redirect TFTP traffic.
xdmcp —(UDP port 177.) X Display Manager Control
Protocol. XDMCP is a protocol that uses UDP port 177 to negotiate X sessions,
which use TCP when established. For successful negotiation and start of an
XWindows session, the device must allow the TCP back connection from the
Xhosted computer. Use access control rules to permit the back connection
through the TCP ports.
During the XWindows session, the manager talks to the display
Xserver on the well-known port 6000 | n. Each display has a separate connection
to the Xserver, as a result of the following terminal setting:
setenv DISPLAY Xserver: n , where
n is the display number.
When XDMCP is used, the display is negotiated using IP
addresses, which the device can NAT if needed. XDCMP inspection does not