Just another bit of clarification on this topic so that others aren't confused. The document that you linked is referring to the anti-X filtering of HTTP and FTP, ie. when using the "FILTER" command for FTP and HTTP.
Security levels have no bearing on the actual INSPECTS for ftp and http (inspect http & inspect ftp), which will inspect traffic bidirectionally when applied directly to an interface, or 'ingress only' when applied globally via a service-policy, just like most other protocol inspects. Regards, Buck Wallander On Fri, Sep 24, 2010 at 9:25 AM, Anantha Subramanian Natarajan < [email protected]> wrote: > Thanks Kings > > Regards > Anantha Subramanian Natarajan > > > On Fri, Sep 24, 2010 at 1:20 AM, Kingsley Charles < > [email protected]> wrote: > >> It seems that for some application inspections are not bidirectional. For >> example the ASA applies http and ftp filtering for outbound connections and >> not for >> inbound. It's ASA limitation. >> >> >> Snippet from >> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 >> >> Inspection engines—Some application inspection engines are dependent on >> the security level. For same security interfaces, inspection engines apply >> to traffic in either direction. >> >> NetBIOS inspection engine—Applied only for outbound connections. >> >> SQL*Net inspection engine—If a control connection for the SQL*Net >> (formerly OraServ) port exists between a pair of hosts, then only an inbound >> data connection is permitted through the security appliance. >> >> Filtering—HTTP(S) and FTP filtering applies only for outbound connections >> (from a higher level to a lower level). >> >> If you enable communication for same security interfaces, you can filter >> traffic in either direction. >> >> >> >> With regards >> >> Kings >> >> >> On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < >> [email protected]> wrote: >> >>> Hi All, >>> >>> Was going through the Cisco ASA config guide and understanding that *some >>> *application inspection engines are dependent on the security level.I am >>> trying to understand the relation between inspection engines and the >>> security-level and also why only some application inspection engine depends >>> on the security level. >>> >>> If you could explain or point to me a proper documentation,would really >>> appreciate that. >>> >>> Regards >>> Anantha Subramanian Natarajan >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
