In passive mode all connections are initiated from the client. It also opens the new connections on the same port. So FTP inspection is not required on Passive FTP.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Vybhav Ramachandran [mailto:[email protected]] Sent: Monday, July 05, 2010 12:56 PM To: Tyson Scott Cc: Kingsley Charles; OSL Security Subject: Re: [OSL | CCIE_Security] Lab 16 task 1.5 MPF for FTP Hello Tyson, In case of Passive FTP, If we just issue a command " access-list OUTSIDE_IN permit tcp any host <FTP_SERVER> eq 21 " how will the data connection be permitted to the FTP server on the inside? Is this why we need the inspect? Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
