Buck I think, you have not got my point. I am not talking about HTTP or FTP L7 inspection. I am talking about HTTP and FTP URL filtering using "filter" command. Again, I have not tried it rather trying to explain what's there in the link. May be you can try it.
When we talk about inbound and outbound there is a diiference when it comes to ASA. Lets apply some maths here :-) Usually any traffic going from an interface is outbound and coming inside an interface is inbound. Lets see another definition. With respect to firewall, any traffic from local LAN to Internet is outbound and from Internet to LAN is inbound. Internet is untrusted and LAN is trusted, hence replacing them With respect to firewall, any traffic from trusted network to untrusted is outbound and from untrusted to trusted is inbound. With respected to ASA, higher levels are more trusted and lower level are less trusted. With respect to firewall, any traffic from higher level to lower level is outbound and from lower level to higher level is inbound. That is what they are refering to below: I have highlighted them. Please have look, these point are from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744. Mostly they should be correct, if they are wrong then you should check with Cisco :-) Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. NetBIOS inspection engine—Applied only for outbound connections. SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). If you enable communication for same security interfaces, you can filter traffic in either direction. As I said, I was refering to HTTP and FTP URL filter Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). If you look at the command syntax, the initial network is local and then the remote. asa2(config)# filter http 80 ? configure mode commands/options: Hostname or A.B.C.D The address of local/internal host which is source for connections requiring filtering asa2(config)# filter http 80 0 0 ? configure mode commands/options: Hostname or A.B.C.D The address of foreign/external host which is destination for connections requiring filtering Hope I am clear now With regards Kings On Thu, Sep 30, 2010 at 11:39 AM, Buck Wallander <[email protected]> wrote: > Kingsley, > > That's wrong. Based on your logic one could not filter components of HTTP > requests (uri, host, body content, etc.) from the outside/internet towards > the inside/server segment. This is false, in fact it's something that I > implement on ASA firewalls quite often. You seem to be confused about the > idea of inbound/outbound packet flow through an interface policy-map versus > connections moving either lower-to-higher or higher-to-lower. > While it may be true that SOME app inspects are dependent upon security > levels, HTTP and FTP, at least in respect to policy-maps via MPF, are not. > > Regards, > Buck Wallander > > > On Thu, Sep 30, 2010 at 12:40 AM, Kingsley Charles < > [email protected]> wrote: > >> Outbound means from Higher security to lower security >> Inbound means from Lower to higher security >> >> >> Irrespective of whether the policy map is applied to inside, outside or >> global the "Outbound" and "Inbound" logic will not change. >> >> Now if you read the following snippet from >> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744, >> you can see that some inspections are dependent on the security levels. >> >> >> >> Inspection engines—Some application inspection engines are dependent on >> the security level. For same security interfaces, inspection engines apply >> to traffic in either direction. >> >> NetBIOS inspection engine—Applied only for outbound connections. >> >> SQL*Net inspection engine—If a control connection for the SQL*Net >> (formerly OraServ) port exists between a pair of hosts, then only an inbound >> data connection is permitted through the security appliance. >> >> Filtering—HTTP(S) and FTP filtering applies only for outbound connections >> (from a higher level to a lower level). >> >> If you enable communication for same security interfaces, you can filter >> traffic in either direction. >> >> >> With regards >> Kings >> >> On Thu, Sep 30, 2010 at 9:23 AM, Buck Wallander <[email protected]> wrote: >> >>> Just another bit of clarification on this topic so that others aren't >>> confused. The document that you linked is referring to the anti-X filtering >>> of HTTP and FTP, ie. when using the "FILTER" command for FTP and HTTP. >>> >>> Security levels have no bearing on the actual INSPECTS for ftp and http >>> (inspect http & inspect ftp), which will inspect traffic bidirectionally >>> when applied directly to an interface, or 'ingress only' when applied >>> globally via a service-policy, just like most other protocol inspects. >>> >>> Regards, >>> Buck Wallander >>> >>> >>> On Fri, Sep 24, 2010 at 9:25 AM, Anantha Subramanian Natarajan < >>> [email protected]> wrote: >>> >>>> Thanks Kings >>>> >>>> Regards >>>> Anantha Subramanian Natarajan >>>> >>>> >>>> On Fri, Sep 24, 2010 at 1:20 AM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> It seems that for some application inspections are not bidirectional. >>>>> For example the ASA applies http and ftp filtering for outbound >>>>> connections >>>>> and not for >>>>> inbound. It's ASA limitation. >>>>> >>>>> >>>>> Snippet from >>>>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 >>>>> >>>>> Inspection engines—Some application inspection engines are dependent on >>>>> the security level. For same security interfaces, inspection engines apply >>>>> to traffic in either direction. >>>>> >>>>> NetBIOS inspection engine—Applied only for outbound connections. >>>>> >>>>> SQL*Net inspection engine—If a control connection for the SQL*Net >>>>> (formerly OraServ) port exists between a pair of hosts, then only an >>>>> inbound >>>>> data connection is permitted through the security appliance. >>>>> >>>>> Filtering—HTTP(S) and FTP filtering applies only for outbound >>>>> connections (from a higher level to a lower level). >>>>> >>>>> If you enable communication for same security interfaces, you can >>>>> filter traffic in either direction. >>>>> >>>>> >>>>> >>>>> With regards >>>>> >>>>> Kings >>>>> >>>>> >>>>> On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> Was going through the Cisco ASA config guide and understanding that >>>>>> *some *application inspection engines are dependent on the security >>>>>> level.I am trying to understand the relation between inspection engines >>>>>> and >>>>>> the security-level and also why only some application inspection engine >>>>>> depends on the security level. >>>>>> >>>>>> If you could explain or point to me a proper documentation,would >>>>>> really appreciate that. >>>>>> >>>>>> Regards >>>>>> Anantha Subramanian Natarajan >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
