NAT Support for Inspected Protocols
Some application layer protocols that open secondary connections, or that embedded IP addresses in packets, are inspected to provide the following services:
-
Pinhole creation—Some application protocols open secondary TCP or UDP connections either on standard or negotiated ports. Inspection opens pinholes for these secondary ports so that you do not need to create access control rules to allow them.
-
NAT rewrite— Protocols such as FTP embed IP addresses and ports for the secondary connections in packet data as part of the protocol. If there is NAT translation involved for either of the endpoints, the inspection engines rewrite the packet data to reflect the NAT translation of the embedded addresses and ports. The secondary connections would not work without NAT rewrite.
-
Protocol enforcement—Some inspections enforce some degree of conformance to the RFCs for the inspected protocol.
The following table lists the inspected protocols that apply NAT rewrite and their NAT limitations. Keep these limitations in mind when writing NAT rules that include these protocols. Inspected protocols not listed here do not apply NAT rewrite. These inspections include GTP, HTTP, IMAP, POP, SMTP, SSH, and SSL.
Note | NAT rewrite is supported on the listed ports only. For some of these protocols, you can extend inspection to other ports using Network Analysis Policies, but NAT rewrite is not extended to those ports. This includes DCERPC, DNS, FTP, and Sun RPC inspection. If you use these protocols on non-standard ports, do not use NAT on the connections. |
|
Application |
Inspected Protocol, Port |
NAT Limitations |
Pinholes Created |
|---|---|---|---|
|
DCERPC |
TCP/135 |
No NAT64. |
Yes |
|
DNS over UDP |
UDP/53 |
No NAT support is available for name resolution through WINS. |
No |
|
ESMTP |
TCP/25 |
No NAT64. |
No |
|
FTP |
TCP/21 |
(Clustering) No static PAT. |
Yes |
|
H.323 H.225 (Call signaling) H.323 RAS |
TCP/1720 UDP/1718 For RAS, UDP/1718-1719 |
(Clustering) No static PAT. No extended PAT. No NAT64. |
Yes |
|
ICMP ICMP Error |
ICMP (ICMP traffic directed to a device interface is never inspected.) |
No limitations. |
No |
|
IP Options |
RSVP |
No NAT64. |
No |
|
NetBIOS Name Server over IP |
UDP/137, 138 (Source ports) |
No extended PAT. No NAT64. |
No |
|
RSH |
TCP/514 |
No PAT. No NAT64. (Clustering) No static PAT. |
Yes |
|
RTSP |
TCP/554 (No handling for HTTP cloaking.) |
No extended PAT. No NAT64. (Clustering) No static PAT. |
Yes |
|
SIP |
TCP/5060 UDP/5060 |
No extended PAT. No NAT64 or NAT46. (Clustering) No static PAT. |
Yes |
|
Skinny (SCCP) |
TCP/2000 |
No extended PAT. No NAT64, NAT46, or NAT66. (Clustering) No static PAT. |
Yes |
|
SQL*Net (versions 1, 2) |
TCP/1521 |
No extended PAT. No NAT64. (Clustering) No static PAT. |
Yes |
|
Sun RPC |
TCP/111 UDP/111 |
No extended PAT. No NAT64. |
Yes |
|
TFTP |
UDP/69 |
No NAT64. (Clustering) No static PAT. Payload IP addresses are not translated. |
Yes |
|
XDMCP |
UDP/177 |
No extended PAT. No NAT64. (Clustering) No static PAT. |
Yes |