Outbound means from Higher security to lower security Inbound means from Lower to higher security
Irrespective of whether the policy map is applied to inside, outside or global the "Outbound" and "Inbound" logic will not change. Now if you read the following snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744, you can see that some inspections are dependent on the security levels. Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. NetBIOS inspection engine—Applied only for outbound connections. SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). If you enable communication for same security interfaces, you can filter traffic in either direction. With regards Kings On Thu, Sep 30, 2010 at 9:23 AM, Buck Wallander <[email protected]> wrote: > Just another bit of clarification on this topic so that others aren't > confused. The document that you linked is referring to the anti-X filtering > of HTTP and FTP, ie. when using the "FILTER" command for FTP and HTTP. > > Security levels have no bearing on the actual INSPECTS for ftp and http > (inspect http & inspect ftp), which will inspect traffic bidirectionally when > applied directly to an interface, or 'ingress only' when applied globally > via a service-policy, just like most other protocol inspects. > > Regards, > Buck Wallander > > > On Fri, Sep 24, 2010 at 9:25 AM, Anantha Subramanian Natarajan < > [email protected]> wrote: > >> Thanks Kings >> >> Regards >> Anantha Subramanian Natarajan >> >> >> On Fri, Sep 24, 2010 at 1:20 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> It seems that for some application inspections are not bidirectional. For >>> example the ASA applies http and ftp filtering for outbound connections and >>> not for >>> inbound. It's ASA limitation. >>> >>> >>> Snippet from >>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 >>> >>> Inspection engines—Some application inspection engines are dependent on >>> the security level. For same security interfaces, inspection engines apply >>> to traffic in either direction. >>> >>> NetBIOS inspection engine—Applied only for outbound connections. >>> >>> SQL*Net inspection engine—If a control connection for the SQL*Net >>> (formerly OraServ) port exists between a pair of hosts, then only an inbound >>> data connection is permitted through the security appliance. >>> >>> Filtering—HTTP(S) and FTP filtering applies only for outbound connections >>> (from a higher level to a lower level). >>> >>> If you enable communication for same security interfaces, you can filter >>> traffic in either direction. >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Was going through the Cisco ASA config guide and understanding that *some >>>> *application inspection engines are dependent on the security level.I >>>> am trying to understand the relation between inspection engines and the >>>> security-level and also why only some application inspection engine depends >>>> on the security level. >>>> >>>> If you could explain or point to me a proper documentation,would really >>>> appreciate that. >>>> >>>> Regards >>>> Anantha Subramanian Natarajan >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
