I get your point PJ. If we try that out, it will clarify us. With regards Kings
On Fri, Sep 24, 2010 at 12:11 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi Kings, > > thanks for that snippet of info. Altough I would also expect to actually be > able to filter inbound connections on http as you might have a dmz webserver > and want to restrict the type and length of requests to be sent to that > server. > > But would the MPF (e.g. inspect in combination with a class-map) not be an > option? > It's perhaps not part for the global application inspection,but it might be > worth a try.. > > Kind regards > Pieter-Jan > > On 24 sep 2010, at 08:20, Kingsley Charles wrote: > > It seems that for some application inspections are not bidirectional. For > example the ASA applies http and ftp filtering for outbound connections and > not for > inbound. It's ASA limitation. > > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 > > Inspection engines—Some application inspection engines are dependent on the > security level. For same security interfaces, inspection engines apply to > traffic in either direction. > > NetBIOS inspection engine—Applied only for outbound connections. > > SQL*Net inspection engine—If a control connection for the SQL*Net (formerly > OraServ) port exists between a pair of hosts, then only an inbound data > connection is permitted through the security appliance. > > Filtering—HTTP(S) and FTP filtering applies only for outbound connections > (from a higher level to a lower level). > > If you enable communication for same security interfaces, you can filter > traffic in either direction. > > > > With regards > > Kings > > > On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < > [email protected]> wrote: > >> Hi All, >> >> Was going through the Cisco ASA config guide and understanding that *some >> *application inspection engines are dependent on the security level.I am >> trying to understand the relation between inspection engines and the >> security-level and also why only some application inspection engine depends >> on the security level. >> >> If you could explain or point to me a proper documentation,would really >> appreciate that. >> >> Regards >> Anantha Subramanian Natarajan >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > Think before you print. > > > > >
<<green.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
