The last statement makes the clarification.
If you enable communication for same security interfaces, you can filter traffic in either direction. It clearly states that by enabling "same-security-traffic permit inter-interface" that the aforementioned restrictions no longer apply. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Friday, September 24, 2010 3:46 AM To: Pieter-Jan Nefkens Cc: Cisco certification; [email protected] Subject: Re: [OSL | CCIE_Security] Application inspection engine and Security-level I get your point PJ. If we try that out, it will clarify us. With regards Kings On Fri, Sep 24, 2010 at 12:11 PM, Pieter-Jan Nefkens <[email protected]> wrote: Hi Kings, thanks for that snippet of info. Altough I would also expect to actually be able to filter inbound connections on http as you might have a dmz webserver and want to restrict the type and length of requests to be sent to that server. But would the MPF (e.g. inspect in combination with a class-map) not be an option? It's perhaps not part for the global application inspection,but it might be worth a try.. Kind regards Pieter-Jan On 24 sep 2010, at 08:20, Kingsley Charles wrote: It seems that for some application inspections are not bidirectional. For example the ASA applies http and ftp filtering for outbound connections and not for inbound. It's ASA limitation. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intpa ram.html#wp1057744 Inspection engines-Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. NetBIOS inspection engine-Applied only for outbound connections. SQL*Net inspection engine-If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. Filtering-HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). If you enable communication for same security interfaces, you can filter traffic in either direction. With regards Kings On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan <[email protected]> wrote: Hi All, Was going through the Cisco ASA config guide and understanding that some application inspection engines are dependent on the security level.I am trying to understand the relation between inspection engines and the security-level and also why only some application inspection engine depends on the security level. If you could explain or point to me a proper documentation,would really appreciate that. Regards Anantha Subramanian Natarajan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/ Think before you print.
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
