First Published: February 06, 2009
Last Updated: October 10, 2017
The following tables summarize Network Address Translation (NAT) and Firewall Application Layer Gateway (ALG) feature support on Cisco ASR 1000 Series Aggregation Services Routers in Cisco IOS XE Release 2.1.0 and later releases. Each table lists the features whose support was introduced in the release. NAT and Firewall ALG support is cumulative; features supported in earlier releases continue to be supported in later releases.
This document contains the following tables:
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.14.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.13.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release3.11.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.9.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.8.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.7.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.6.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.5.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.4.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.2.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.1.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.5.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.4.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.2.0
■ NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.1.0
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.14.0:
Table 1. NAT and Firewall ALG/AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.14.0
Application Layer Gateway/Inspection |
Features Supported |
MSRPC ALG VTCP Support |
■ Segmented TCP-based message |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.13.0:
Table 2. NAT and Firewall ALG/AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.13.0
Application Layer Gateway/Inspection |
Features Supported |
MSRPC ALG VTCP Support |
■ Packet Tracing Support ■ Conditional Debugging ■ Debug Log/Trace file severity cleanup |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.11.0:
Table 3. NAT and Firewall ALG/AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.11.0
Application Layer Gateway/Inspection |
Features Supported |
SIP ALG resilience to Dos attack |
■ Configurable lock limit ■ Dynamic black list ■ Configurable timers |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.9.0:
Table 4. NAT and Firewall ALG/AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.9.0
Application Layer Gateway/Inspection |
Features Supported |
GTPv2 |
■ Support GTPv2 inspection (3GPP RLS8 / RLS9) |
Serviceability |
■ ALG/AIC Serviceability improvement |
PPTP |
■ PPTP ALG support |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.8.0:
Table 5. NAT and Firewall ALG/AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.8.0
Application Layer Gateway/Inspection |
Features Supported |
GTP AIC |
■ Support 3GPP RLS 7&8 for GTPv1 |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.7.0:
Table 6. NAT and Firewall ALG/AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.7.0
Application Layer Gateway/Inspection |
Features Supported |
GTP AIC |
■ Support GGSN polling feature for GTPv0/GTPv1 |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.6.0:
Table 7. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.6.0
Application Layer Gateway |
Features Supported |
H323 |
■ Support H323 version 6 with H.225 v6 and H.245 v13 |
FTP64 |
■ Support IPv4-embedded IPv6 address |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.5.0:
Table 8. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.5.0
Application Layer Gateway |
Features Supported |
SIP |
■ Multiple SIP messages per TCP segment. ■ No High Availability is supported for SIP ALG |
SCCP |
■ Support SCCP Version 17 to interwork with Cisco Unified Communications Manager (CUCM) 8.x. ■ No High Availability is supported for SCCP ALG. |
MS-RPC |
■ Not a public protocol and vastly based on DCE RPC protocol which can be review at http://pubs.opengroup.org/onlinepubs/9629399/ ■ Support NAT and FW ■ No TCP segmentation (vTCP) support at this release ■ TCP only The following information is available on Cisco.om: ■ FW L7 policy inspection of TCP communication between the EPM (Endpoint Mapper) on the Server side to the Client on the well-known TCP port 135. ■ A client will call the endpoint mapper at the server to ask for a "well known" service. The server will answer the client at which addresses this service is available (or if this service is not available at all). ■ Apply NAT if needed and rewrite the message. ■ Allow multiple use of the imprecise FW session, since a client may attempt multiple connections to the server port returned by the EPM. |
MS-RPC (contd …) |
■ A FW session is based on five tupples: source/destination IP addresses source/destination ports and protocol. When the source port is unknown, an imprecise FW session will be created. When traffic “hits” the other four tupples, a FW session will be created. ■ Provide validity of the MSRPC protocol (messages and protocol): binding – bind request and response tracking; call , request and response message tracking ■ No TCP segmentation (vTCP) support at this release |
FTP64 |
■ Intra-Chassis High Availability Support |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.4.0:
Table 9. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.4.0
Application Layer Gateway |
Features Supported |
FTP64 |
■ Support draft-ieft-behave-ftp64-06 ■ Support Stateful NAT64 only; Stateless NAT64 is not supported ■ Support VFR/IP Reassembly ■ No High Availability and VRF support ■ No Firewall support ■ No IPv4-embedded IPv6 address support |
Table 10. Firewall AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.4.0
Application Layer Gateway |
Features Supported |
GTP v0, v1 |
■ FW L7 policy inspection ■ Verify protocol integrity ■ Support GTPv0 and GTPv1 control packets inspection (APN regular expression, MCC/MNC, packet type, length). ■ Data packets are not inspected. ■ Provides partial parity to ASA functionality |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.2.0:
Table 11. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.2.0
Application Layer Gateway |
Features Supported |
SIP Enhancement |
■ Support TCP segmentation (vTCP) under NAT and/or FW configuration ■ Support SIP Trunk ■ Support REFER Method ■ Support Multiple M-lines in SDP (up to 5 m-lines) |
SunRPC |
■ Support TCP segmentation (vTCP) under NAT and/or FW configuration ■ Support SIP Trunk ■ Support NAT and FW ■ Portmapper version 2 will be inspected while version 3 &4 will be passed through The following is not supported: ■ TCP segmentation |
Table 12. Firewall AIC Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.2.0
Application Layer Gateway |
Features Supported |
SMTP |
■ FW L7 policy inspection ■ Support SMTP and ESMTP, only regular extensions ■ Data inspection |
POP3 |
■ FW L7 policy inspection ■ Inspection of session establishment only ■ Encrypted packets are passed through |
IMAP |
■ FW L7 policy inspection ■ Inspection of session establishment only ■ Encrypted packets are passed through |
SunRPC |
■ L7 policy inspection based on sunrpc program number |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 3.1.0:
Table 13. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 3.1.0
Application Layer Gateway |
Features Supported |
RTSP Enhancement |
■ Support NAT (in RTP, RDT and Interleave mode) ■ Support TCP segmentation under NAT and/or FW configuration |
DNS Enhancement |
■ Support TCP segmentation under NAT and/or FW configuration Note: FW-only configuration won’t support reassemble |
RCMD |
■ Support NAT and FW ■ Support rlogin, rsh and rexec ■ TCP-only ■ Support VRF ■ External authentication mechanisms on behaves of peers involved |
NETBIOS |
■ Support RFC 1002 under NAT and Firewall configurations ■ Support Netbios over IP only ■ Support the following services: ■ Naming Service ■ Session Service ■ Datagram Service ■ Support protocol conformance under NAT and FW ■ Support VRF The following are not supported: ■ Enforcing user authentication via Active Directory and LDAP to access NetBIOS Name Service. ■ Server Message Block Protocol (SMB) messages under NetBIOS Session Service. These messages have TCP port 445. ■ TCP segmentation |
All ALG |
■ HA Break – HA activities from previous releases will be unpredictable. |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 2.5.0:
Table 14. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.5.0
Application Layer Gateway |
Features Supported |
FTP, TFTP, DNS, LDAP, SIP, H323, SCCP, RTSP |
■ VRF Support |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 2.4.0:
Table 15. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.4.0
Application Layer Gateway |
Features Supported |
H.323 RAS |
■ All Gatekeeper-related messages are supported. The following features are not supported: ■ Discovering Gatekeeper network element using multicast mechanism ■ Discovering Gatekeeper network element using FQDN ■ Discovering Gatekeeper network element using URL ■ TCP segmentation |
LDAP |
■ Support NAT only (not applicable to Firewall.) ■ Support LDAP version 2 and version 3 messages. NAT fixup will be done on the following LDAP messages: ■ ADDREQUEST ■ SEARCHREQUEST ■ SEARCHRESPONSE |
SIP Extension |
■ Support RFC 2976 – INFO. ■ Support RFC 3262 – PRACK. ■ Support RFC 3265 - SUBSCRIBE/NOTIFY. ■ Support RFC 3311 – UPDATE. ■ Support RFC 3428 – MESSAGE. ■ Support RFC 3515, 3892 – REFER. ■ Support SIP over TCP. ■ TCP segmentation is not supported. ■ FQDN is not supported. |
Skinny Video |
■ Support IP phones with video capability. The following two new messages are supported for NAT and Firewall: ■ OpenMultiMediaReceiveChannelAck ■ StartMultiMediaTransmission ■ Support Cisco Unified Communications Manager (through Release 6.1.) and SCCPv8 (or any compatible version) ■ TCP segmentation is not supported. |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 2.2.0:
Table 16. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.2.0
Application Layer Gateway |
Features Supported |
RTSP |
RFC 2326, Real Time Streaming Protocol (RTSP) as follows: ■ TCP only. ■ No content-type will be examined by RTSP ALG. ■ No fully qualified domain name (FQDN) support. ■ Support Firewall only. Support RTSP as a pass-thru protocol as follows: ■ No RTSP request/response sources/terminates on the platform. ■ No RTSP configuration. ■ No RTSP-specific statistics will be sent. ■ No multicast support. |
The following table summarizes NAT and Firewall ALG/AIC support on Cisco ASR 1000 Series Routers that was introduced in Cisco IOS XE Release 2.1.0:
Table 1. NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers in Cisco IOS XE Release 2.1.0
Application Layer Gateway |
Features Supported |
Domain Name System (DNS) |
Support RFC 1035, both TCP and UDP, for NAT and Firewall. DNS ALG will parse all DNS packets, including the following: ■ TYPE_A query/response ■ TYPE_CNAME ■ TYPE_MX ■ TYPE_NS ■ TYPE_PTR query/response ■ TYPE_SOA |
File Transfer Protocol (FTP) |
Support RFC765 for NAT and Firewall. Supported modes include the following: ■ Active mode ■ Passive mode |
H.323 |
■ H.323v4 with H.225v4 and H.245v7. Support for GW-Terminal is available. Gatekeeper-related messages will be ignored. ■ Backward compatibility support only until H.323v2. H.323v1 messages will be ignored. ■ FastConnect and Tunneling are supported. (Tunneling specifically refers to sending H.245 messages within H.225.0 messages.) ■ Support both NAT and Firewall. ■ H.323 RAS is not supported. ■ Multipoint is not supported. ■ T.120 is not supported. |
Internet Control Message Protocol (ICMP) |
Supported ICMP types for Firewall include the following: ■ ECHO ■ ECHO REPLY ■ TIME EXCEEDED ■ TIMESTAMP ■ TIMESTAMP REPLY ■ UNREACHABLE Supported ICMP types for NAT include the following: ■ ECHO ■ ECHO REPLY ■ SOURCE QUENCH ■ TIME EXCEEDED ■ TIMESTAMP ■ TIMESTAMP REPLY ■ UNREACHABLE |
Session Initiation Protocol (SIP) |
Support RFC3261 for NAT and Firewall. Supported methods include the following: ■ ACK ■ BYE ■ CANCEL ■ INVITE ■ OPTIONS ■ REGISTER ■ RE-INVITE ■ Only User Datagram Protocol (UDP) SIP is supported; Transmission Control Protocol (TCP) SIP is not supported. |
Skinny Call Control Protocol (SCCP) |
■ Supported messages for NAT and Firewall include the following: ■ CloseReceiveChannel ■ OpenReceiveChannelAck ■ Register ack ■ Register message ■ Register reject ■ StartMediaTransmission ■ StopMediaTransmission ■ Support Cisco Unified Communications Manager (through Release 6.1.) and SCCPv8 (or any compatible version) |
Trivial File Transfer Protocol (TFTP) |
■ Support for NAT and Firewall. ■ Support opcode RRQ (read request) and WRQ (write request) in RFC-1350. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2009-2017 Cisco Systems, Inc. All rights reserved.