Kings, As long as you have FTP inspection attached globally, the ASA will inspect FTP control channel (port 21) and opens required data channel (negotiated ports in passive mode or will allow port 20 in active mode).
The only difference here (for FTP originated from outside network) is you need an ACL on the outside permitting port 21. Rest of dynamic connections will be allowed automatically. HTH, -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/21 Kingsley Charles <[email protected]> > Hi Stu > > Will ASA inspect return traffic that has come from outside to inside? Ideal > firewall should only inspect traffic that initiates from trusted zone. > > In the this case, ftp client that is on the outside - untrusted zone has > initiated the traffic. ' > > My understanding is that the return traffic for connections initiated from > lower sec level are just passed not inspected. > > > With regards > Kings > > On Thu, Jan 21, 2010 at 1:40 PM, Stuart Hare <[email protected]> wrote: > >> Kings, >> >> Regardless of the interface its received on as soon as the ASA receives >> traffic destined for TCP21 then it will initiate the FTP inspection (as long >> as it hasnt been disabled), which knows the detailed traffic flows for >> active/passive FTP, so it can allow the necessary ports to be opened, and >> ensure it conforms. >> >> So in answer to your question only port TCP21 needs opening. >> On the other hand port 20 is used in active FTP connections, and is the >> source port used by the server to connect to the clients remote port >> specified during the initial connections setup. So is typically not required >> to be opened anyway, as this will be handled by inspection on the return >> flow. >> >> HTH >> Stu >> >> On Thu, Jan 21, 2010 at 7:47 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> When the ftp client is on inside and the server is outside, then the ASA >>> inspection will take care of connection by having dynamic openings. For the >>> case, when the ftp client is outside and the server is inside, then what >>> ports should be open in the ACL. >>> >>> >>> >>> ftp client --------------- outside ASA inside ----------------------- ftp >>> server >>> >>> >>> Since, the ftp client is outside, if we just open the control port (21), >>> will it work? >>> >>> >>> *First solution* >>> >>> access-list ftpacl permit tcp any any 21 >>> access-list ftpacl permit tcp any any 20 >>> >>> >>> >>> >>> *Second solution* >>> >>> >>> access-list ftpacl permit tcp any any 21 >>> >>> >>> Bit confused, which solution should be use? >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> -- >> Regards, >> >> Stuart Hare >> CCIE #25616 (Security), CCSP, Microsoft MCP >> Sr. Support Engineer – IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
