The first bullet poing states to block host from using passive FTP to 192.1.49.100. I cannot understand how this could be done without doing explicit permits for traffic leaving the firewall. It says that the session should be the most state-ful possible. I am struggling to understand how the solution in the 'detailed solution guide' works.
Let's start with the first command: established tcp 21 0 permitto tcp 0 permitfrom tcp 20 My interpretation of this command is if traffic is seen destined for tcp port 21 that the firewall should permit return traffic to any tcp port from tcp port 20 so this should actually let active mode ftp work if filtering were the only problem. However, we also need to deal with changing the PORT command to a correct public address. So my question with the established command is this. Does the ASA allow for the DATA channel to be established from any port in active mode without this command? My interpretation is that this would be in addition to connections permitted by the ftp inspections. So how does it improve on the ftp inspect alone or what is its purpose? Then concerning the traffic bein inspected with "inspect ftp". This excludes traffic destined to 192.1.49.100. However, it would then be inspected in "inspection_default". Even if it did not use the ftp inspect at all, I don't see how this would prevent passive ftp. As I understand it, passive FTP estabalishes two outbound sessions. The first is typically from a port above 1023 to port 21 on the server. The second is also typically from a port above 1023 on the client to another high port on the server. This port is specified to the client through the first session. Both initial packets are outbound. So if the ASA only looks at these as TCP connections they still work. The only exception would be if the server was on the inside of the ASA instead of the outside and the role of the ASA reversed. This would require the block of ports open that is used for passive ftp, or fairly intelligent inspection of the control channel. I think this is a good question, I am just somehow not seeing the solution. What am I missing?
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
