And just to elaborate a little bit more. When you look at the documentation most off it refers to things you would see in the command channel. Here is a snip of what it says -likely you have already seen this:
The FTP application inspection inspects the FTP sessions and performs four tasks: •Prepares dynamic secondary data connection •Tracks the FTP command-response sequence •Generates an audit trail •Translates the embedded IP address FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels are negotiated through PORT or PASV commands. The channels are allocated in response to a file upload, a file download, or a directory listing event. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738 <http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738>I think it would be interesting to create a filter for file type and turn on wireshark on the server. See if the ASA kills the connection in the command channel versus the server receiving the command and the ASA filtering it on the data channel. I've never done this but I don't think it would be difficult to set up. Just throwing that out there. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Thu, Jan 21, 2010 at 12:32 AM, Stuart Hare <[email protected]> wrote: > Hi Shawn, > > Although I have never come across a doc that specifically states these > details, from experience the Reset-O is logged when a tcp reset is received > on the lower security level interface classed as outside, and Reset-I is > logged when recieved on the higher level interface (inside). > > Now what happens when the two interfaces are the same security level, with > permit inter-interface enabled, is the interesting one and unfortunately one > I'm not 100% sure on :) > > Stu > > On Tue, Jan 19, 2010 at 10:44 PM, Shawn Mesiatowsky > <[email protected]> wrote: >> >> I am having trouble figuring our where the reset bit is sent from >> >> %ASA-6-302014: Teardown TCP connection 498766 for public:1.1.1.1/2742 to >> private:2.2.2.2/4615 duration 0:00:23 bytes 58142 TCP Reset-O >> >> the cisco docs say reset-o means it is from the outside. So is this in >> reference to the security levels (where the outside is the lower >> security level, being private, and inside is the higher being private)? >> or the direction of traffic (where the connection was initiated, so the >> inside would be public as the connection was initiated from the public >> network, and the outside is private as it is the destention of the >> connection )? Thanks for your help >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > > > > -- > Regards, > > Stuart Hare > CCIE #25616 (Security), CCSP, Microsoft MCP > Sr. Support Engineer – IPexpert, Inc. > URL: http://www.IPexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
