It seems that for some application inspections are not bidirectional. For example the ASA applies http and ftp filtering for outbound connections and not for inbound. It's ASA limitation.
Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. NetBIOS inspection engine—Applied only for outbound connections. SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). If you enable communication for same security interfaces, you can filter traffic in either direction. With regards Kings On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < [email protected]> wrote: > Hi All, > > Was going through the Cisco ASA config guide and understanding that *some > *application inspection engines are dependent on the security level.I am > trying to understand the relation between inspection engines and the > security-level and also why only some application inspection engine depends > on the security level. > > If you could explain or point to me a proper documentation,would really > appreciate that. > > Regards > Anantha Subramanian Natarajan > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
