Faisal, Just a clarification on your below comment about not requiring inspection for active FTP. This completely depends on the scenario and configuration of the ASA.
For instance I dont recall ever installing an ASA with only an Inside and Outside interface, and using the default security levels to allow traffic to pass from inside to out unrestricted. If this is the case and the ftp session was initiated from the outside then yes the new data channel created by the server to the client would be allowed. But to maximise security though, ACL's should typically be applied to all interfaces, and in this scenario the new connection for the data channel would be dropped, as the ASA would not associate this session with the existing FTP control channel connection. FTP Inspection would overcome this issue. This scenario can be associated to that of the transparent firewall setup on the ASA which requires an ACL to be configured on each interface. Stu On Thu, Jan 21, 2010 at 12:40 PM, faisal bhura <[email protected]>wrote: > > > On Thu, Jan 21, 2010 at 6:09 PM, faisal bhura > <[email protected]>wrote: > >> here is a description of both the active and passive ftp usage : >> >> when we have the below scenario >> >> Server—-I(ASA)O—-client >> >> >> a) Passive Client >> >> Client connects to server’s public IP on port 21, authenticates. After >> this client enters passive mode using PASV command. When server receives >> PASV command, it generates a message in which client is informed about the >> port it needs to connect to for data transfer. However, server uses its own >> private IP address in the communication and because firewall is not doing >> FTP inspection, it will not modify/translate the payload to the public IP of >> server. Hence, client receives private IP address of the server and is >> unable to connect for data connection. >> >> Solution: Enable FTP inspection. >> >> b) Active Client >> >> Client connects to server public IP on port 21, authenticates. Then client >> sends a PORT command. Server calculates the port to which it needs to >> connect to the client and initiates the connection to the port from >> source-port TCP/20 (ftp-data). Outbound connection works fine because, by >> default outbound traffic is permitted on ASA. >> >> >> FTP Inspection required: NO. >> >> >> >> Faisal Bhura >> >> >> >> >> > > > -- > > > > Regards > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
