To conclude, the following is when FTP inspection is required to be configured
*Outbound Active FTP* - This is required as the Data connection is initiated from the server outside. Port 20 is opened and torn out after FTP data connection. *Inbound Passive FTP* - This is required as the Data connection is initiated from the client outside. Higher order port number ( > 1024) is taken from FTP control messages sent from client and opened. It is torn out after FTP data connection. *Inbound Active FTP* - Since data connection is initiated from server inside, ftp inspection is not required *Outbound Passive FTP *- Since the data connection is initiated from client inside, ftp inspection is not required. For inbound connections, we need always open the control port in the ACL.. The data port will be dynamically opened by FW The FTP application inspection inspects the FTP sessions and performs four tasks: •Prepares dynamic secondary data connection •Tracks the FTP command-response sequence •Generates an audit trail •Translates the embedded IP address After you enable the *strict* option on an interface, FTP inspection enforces the following behavior: •An FTP command must be acknowledged before the security appliance allows a new command. •The security appliance drops connections that send embedded commands. •The 227 and PORT commands are checked to ensure they do not appear in an error string. If the *strict* option is enabled, each FTP command and response sequence is tracked for the following anomalous activity Hi Tyson I need a clarification. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738 *Note *If you disable FTP inspection engines with the *no inspect ftp*command, outbound users can start connections only in passive mode, and all inbound FTP is disabled. With Inbound Active FTP, the control channel is initiated from client outside and then data channel is initiated from port 20 of server. Since the connection has been initiated from outside, will ASA consider the data connection from port 20 as a valid TCP connection, inspect it and allow the return traffic from client to port 20. In some docs it says that "inbound Active FTP" doesn't require FTP inspection has the data connection is initiated from inside and will be taken care by the normal FW inspection. But the above snippet tells that only outbound passive FTP will work without FTP inspection. This also seems to correct as even though the data connection for "inbound Active FTP" is from server inside, the connection was initiated from client outside. Hence the data connection is not valid and will not be inspected. Both logically seems to be correct. For Inbound Active FTP, do we need FTP inspection? With regards Kings On Mon, Jul 5, 2010 at 10:55 PM, Vybhav Ramachandran <[email protected]>wrote: > Thanks Tyson. That answers my questions :) > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
