Hi Tyson Based on your reply the following holds good, am I correct?
*Outbound Active FTP* - This is required as the Data connection is initiated from the server outside. Port 20 is opened and torn out after FTP data connection. *Inbound Passive FTP* - This is required as the Data connection is initiated from the client outside. Higher order port number ( > 1024) is taken from FTP control messages sent from client and opened. It is torn out after FTP data connection. *Inbound Active FTP* - Since data connection is initiated from server inside, ftp inspection is not required *Outbound Passive FTP *- Since the data connection is initiated from client inside, ftp inspection is not required. With regards Kings On Tue, Jul 6, 2010 at 12:26 PM, Kingsley Charles < [email protected]> wrote: > To conclude, the following is when FTP inspection is required to be > configured > > *Outbound Active FTP* - This is required as the Data connection is > initiated from the server outside. Port 20 is opened and torn out after FTP > data connection. > *Inbound Passive FTP* - This is required as the Data connection is > initiated from the client outside. Higher order port number ( > 1024) is > taken from FTP control messages sent from client and opened. It is torn out > after FTP data connection. > > *Inbound Active FTP* - Since data connection is initiated from server > inside, ftp inspection is not required > *Outbound Passive FTP *- Since the data connection is initiated from > client inside, ftp inspection is not required. > > For inbound connections, we need always open the control port in the ACL.. > The data port will be dynamically opened by FW > > > The FTP application inspection inspects the FTP sessions and performs four > tasks: > > > •Prepares dynamic secondary data connection > > •Tracks the FTP command-response sequence > > •Generates an audit trail > > •Translates the embedded IP address > > > After you enable the *strict* option on an interface, FTP inspection > enforces the following behavior: > > •An FTP command must be acknowledged before the security appliance allows a > new command. > > •The security appliance drops connections that send embedded commands. > > •The 227 and PORT commands are checked to ensure they do not appear in an > error string. > > If the *strict* option is enabled, each FTP command and response sequence > is tracked for the following anomalous activity > > > Hi Tyson > > I need a clarification. > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738 > > *Note *If you disable FTP inspection engines with the *no inspect > ftp*command, outbound users can start connections only in passive mode, and > all > inbound FTP is disabled. > > With Inbound Active FTP, the control channel is initiated from client > outside and then data channel is initiated from port 20 of server. Since the > connection has > been initiated from outside, will ASA consider the data connection from > port 20 as a valid TCP connection, inspect it and allow the return traffic > from client to > port 20. > > > In some docs it says that "inbound Active FTP" doesn't require FTP > inspection has the data connection is initiated from inside and will be > taken care by the > normal FW inspection. > > But the above snippet tells that only outbound passive FTP will work > without FTP inspection. This also seems to correct as even though the data > connection > for "inbound Active FTP" is from server inside, the connection was > initiated from client outside. Hence the data connection is not valid and > will not be inspected. > > Both logically seems to be correct. > > For Inbound Active FTP, do we need FTP inspection? > > > > With regards > Kings > > > On Mon, Jul 5, 2010 at 10:55 PM, Vybhav Ramachandran <[email protected]>wrote: > >> Thanks Tyson. That answers my questions :) >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
