The inspection will happen on the control channel, including return traffic on that channel.
Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Thu, Jan 21, 2010 at 12:57 AM, Kingsley Charles <[email protected]> wrote: > Hi Stu > > Will ASA inspect return traffic that has come from outside to inside? Ideal > firewall should only inspect traffic that initiates from trusted zone. > > In the this case, ftp client that is on the outside - untrusted zone has > initiated the traffic. ' > > My understanding is that the return traffic for connections initiated from > lower sec level are just passed not inspected. > > > With regards > Kings > > On Thu, Jan 21, 2010 at 1:40 PM, Stuart Hare <[email protected]> wrote: >> >> Kings, >> >> Regardless of the interface its received on as soon as the ASA receives >> traffic destined for TCP21 then it will initiate the FTP inspection (as long >> as it hasnt been disabled), which knows the detailed traffic flows for >> active/passive FTP, so it can allow the necessary ports to be opened, and >> ensure it conforms. >> >> So in answer to your question only port TCP21 needs opening. >> On the other hand port 20 is used in active FTP connections, and is the >> source port used by the server to connect to the clients remote port >> specified during the initial connections setup. So is typically not required >> to be opened anyway, as this will be handled by inspection on the return >> flow. >> >> HTH >> Stu >> >> On Thu, Jan 21, 2010 at 7:47 AM, Kingsley Charles >> <[email protected]> wrote: >>> >>> Hi all >>> >>> When the ftp client is on inside and the server is outside, then the ASA >>> inspection will take care of connection by having dynamic openings. For the >>> case, when the ftp client is outside and the server is inside, then what >>> ports should be open in the ACL. >>> >>> >>> >>> ftp client --------------- outside ASA inside ----------------------- ftp >>> server >>> >>> >>> Since, the ftp client is outside, if we just open the control port (21), >>> will it work? >>> >>> >>> First solution >>> >>> access-list ftpacl permit tcp any any 21 >>> access-list ftpacl permit tcp any any 20 >>> >>> >>> >>> >>> Second solution >>> >>> >>> access-list ftpacl permit tcp any any 21 >>> >>> >>> Bit confused, which solution should be use? >>> >>> >>> With regards >>> Kings >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >> >> >> >> -- >> Regards, >> >> Stuart Hare >> CCIE #25616 (Security), CCSP, Microsoft MCP >> Sr. Support Engineer – IPexpert, Inc. >> URL: http://www.IPexpert.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
