MSRPC ALG VTCP Support

■        Segmented TCP-based message

MSRPC ALG VTCP Support

■        Packet Tracing Support

■        Conditional Debugging

■        Debug Log/Trace file severity cleanup

SIP ALG resilience to Dos attack

■        Configurable lock limit

■        Dynamic black list

■        Configurable timers

GTPv2

■        Support GTPv2 inspection (3GPP RLS8 / RLS9)

Serviceability

■        ALG/AIC Serviceability improvement

PPTP

■        PPTP ALG support

GTP AIC

■        Support 3GPP RLS 7&8 for GTPv1

GTP AIC

■        Support GGSN polling feature for GTPv0/GTPv1

H323

■        Support H323 version 6 with H.225 v6 and H.245 v13

FTP64

■        Support IPv4-embedded IPv6 address

SIP

■        Multiple SIP messages per TCP segment.

■        No High Availability is supported for SIP ALG

SCCP

■        Support SCCP Version 17 to interwork with Cisco Unified Communications Manager (CUCM) 8.x.

■        No High Availability is supported for SCCP ALG.

MS-RPC

■        Not a public protocol and vastly based on DCE RPC protocol which can be review at http://pubs.opengroup.org/onlinepubs/9629399/

■        Support NAT and FW

■        No TCP segmentation (vTCP) support at this release

■        TCP only

The following information is available on Cisco.om:

■        FW L7 policy inspection of TCP communication between the EPM (Endpoint Mapper) on the Server side to the Client on the well-known TCP port 135.

■        A client will call the endpoint mapper at the server to ask for a "well known" service. The server will answer the client at which addresses this service is available (or if this service is not available at all).

■        Apply NAT if needed and rewrite the message.

■        Allow multiple use of the imprecise FW session, since a client may attempt multiple connections to the server port returned by the EPM.

MS-RPC (contd …)

■        A FW session is based on five tupples: source/destination IP addresses source/destination ports and protocol. When the source port is unknown, an imprecise FW session will be created. When traffic “hits” the other four tupples, a FW session will be created.

■        Provide validity of the MSRPC protocol (messages and protocol): binding – bind request and response tracking; call , request and response message tracking

■        No TCP segmentation (vTCP) support at this release

FTP64

■        Intra-Chassis High Availability Support

FTP64

■        Support draft-ieft-behave-ftp64-06

■        Support Stateful NAT64 only; Stateless NAT64 is not supported

■        Support VFR/IP Reassembly

■        No High Availability and VRF support

■        No Firewall support

■        No IPv4-embedded IPv6 address support

GTP v0, v1

■        FW L7 policy inspection

■        Verify protocol integrity

■        Support GTPv0 and GTPv1 control packets inspection (APN regular expression, MCC/MNC, packet type, length).

■        Data packets are not inspected.

■        Provides partial parity to ASA functionality

SIP Enhancement

■        Support TCP segmentation (vTCP) under NAT and/or FW configuration

■        Support SIP Trunk

■        Support REFER Method

■        Support Multiple M-lines in SDP (up to 5 m-lines)

SunRPC

■        Support TCP segmentation (vTCP) under NAT and/or FW configuration

■        Support SIP Trunk

■        Support NAT and FW

■        Portmapper version 2 will be inspected while version 3 &4 will be passed through

The following is not supported:

■        TCP segmentation

SMTP

■        FW L7 policy inspection

■        Support SMTP and ESMTP, only regular extensions

■        Data inspection

POP3

■        FW L7 policy inspection

■        Inspection of session establishment only

■        Encrypted packets are passed through

IMAP

■        FW L7 policy inspection

■        Inspection of session establishment only

■        Encrypted packets are passed through

SunRPC

■        L7 policy inspection based on sunrpc program number

RTSP Enhancement

■        Support NAT (in RTP, RDT and Interleave mode)

■        Support TCP segmentation under NAT and/or FW configuration

DNS Enhancement

■        Support TCP segmentation under NAT and/or FW configuration

Note: FW-only configuration won’t support reassemble

RCMD

■        Support NAT and FW

■        Support rlogin, rsh and rexec

■        TCP-only

■        Support VRF

■        External authentication mechanisms on behaves of peers involved

NETBIOS

■        Support RFC 1002 under NAT and Firewall configurations

■        Support Netbios over IP only

■        Support the following services:

■        Naming Service

■        Session Service

■        Datagram Service

■        Support protocol conformance under NAT and FW

■        Support VRF

The following are not supported:

■        Enforcing user authentication via Active Directory and LDAP to access NetBIOS Name Service.

■        Server Message Block Protocol (SMB) messages under NetBIOS Session Service. These messages have TCP port 445.

■        TCP segmentation

All ALG

■        HA Break – HA activities from previous releases will be unpredictable.

FTP, TFTP, DNS, LDAP, SIP, H323, SCCP, RTSP

■        VRF Support

H.323 RAS

■        All Gatekeeper-related messages are supported.

The following features are not supported:

■        Discovering Gatekeeper network element using multicast mechanism

■        Discovering Gatekeeper network element using FQDN

■        Discovering Gatekeeper network element using URL

■        TCP segmentation

LDAP

■        Support NAT only (not applicable to Firewall.)

■        Support LDAP version 2 and version 3 messages.

NAT fixup will be done on the following LDAP messages:

■        ADDREQUEST

■        SEARCHREQUEST

■        SEARCHRESPONSE

SIP Extension

■        Support RFC 2976 – INFO.

■        Support RFC 3262 – PRACK.

■        Support RFC 3265 - SUBSCRIBE/NOTIFY.

■        Support RFC 3311 – UPDATE.

■        Support RFC 3428 – MESSAGE.

■        Support RFC 3515, 3892 – REFER.

■        Support SIP over TCP.

■        TCP segmentation is not supported.

■        FQDN is not supported.

Skinny Video

■        Support IP phones with video capability.

The following two new messages are supported for NAT and Firewall:

■        OpenMultiMediaReceiveChannelAck

■        StartMultiMediaTransmission

■        Support Cisco Unified Communications Manager (through Release 6.1.) and SCCPv8 (or any compatible version)

■        TCP segmentation is not supported.

RTSP

RFC 2326, Real Time Streaming Protocol (RTSP) as follows:

■        TCP only.

■        No content-type will be examined by RTSP ALG.

■        No fully qualified domain name (FQDN) support.

■        Support Firewall only.

Support RTSP as a pass-thru protocol as follows:

■        No RTSP request/response sources/terminates on the platform.

■        No RTSP configuration.

■        No RTSP-specific statistics will be sent.

■        No multicast support.

Domain Name System (DNS)

Support RFC 1035, both TCP and UDP, for NAT and Firewall. DNS ALG will parse all DNS packets, including the following:

■        TYPE_A query/response

■        TYPE_CNAME

■        TYPE_MX

■        TYPE_NS

■        TYPE_PTR query/response

■        TYPE_SOA

File Transfer Protocol (FTP)

Support RFC765 for NAT and Firewall.  Supported modes include the following:

■        Active mode

■        Passive mode

H.323

■        H.323v4 with H.225v4 and H.245v7. Support for GW-Terminal is available. Gatekeeper-related messages will be ignored.

■        Backward compatibility support only until H.323v2. H.323v1 messages will be ignored.

■        FastConnect and Tunneling are supported. (Tunneling specifically refers to sending H.245 messages within H.225.0 messages.)

■        Support both NAT and Firewall.

■        H.323 RAS is not supported.

■        Multipoint is not supported.

■        T.120 is not supported.

Internet Control Message Protocol (ICMP)

Supported ICMP types for Firewall include the following:

■        ECHO

■        ECHO REPLY

■        TIME EXCEEDED

■        TIMESTAMP

■        TIMESTAMP REPLY

■        UNREACHABLE

Supported ICMP types for NAT include the following:

■        ECHO

■        ECHO REPLY

■        SOURCE QUENCH

■        TIME EXCEEDED

■        TIMESTAMP

■        TIMESTAMP REPLY

■        UNREACHABLE

Session Initiation Protocol (SIP)

Support RFC3261 for NAT and Firewall.  Supported methods include the following:

■        ACK

■        BYE

■        CANCEL

■        INVITE

■        OPTIONS

■        REGISTER

■        RE-INVITE

■        Only User Datagram Protocol (UDP) SIP is supported; Transmission Control Protocol (TCP) SIP is not supported.

Skinny Call Control Protocol (SCCP)

■        Supported messages  for NAT and Firewall include the following:

■        CloseReceiveChannel

■        OpenReceiveChannelAck

■        Register ack

■        Register message

■        Register reject

■        StartMediaTransmission

■        StopMediaTransmission

■        Support Cisco Unified Communications Manager (through Release 6.1.) and SCCPv8 (or any compatible version)

Trivial File Transfer Protocol (TFTP)

■        Support for NAT and Firewall.

■        Support opcode RRQ (read request) and WRQ (write request) in RFC-1350.