Hi all,
To make this more clearer i want to know if there is a difference between
matching.....
acess-list info permit tcp any any eq 21021
and matching port tcp eq 21021 in a class-map.....
________________________________
From: Johan Bornman <[email protected]>
To: Vybhav Ramachandran <[email protected]>
Cc: OSL Security <[email protected]>
Sent: Mon, December 27, 2010 4:46:13 PM
Subject: Re: [OSL | CCIE_Security] Lab 11 Task 1.7
Thanks, Tacack.
I understand now.
From:Vybhav Ramachandran [mailto:[email protected]]
Sent: 27 December 2010 05:42 PM
To: Johan Bornman
Cc: Kingsley Charles; OSL Security
Subject: Re: [OSL | CCIE_Security] Lab 11 Task 1.7
Hello Johan,
The keyword "ftp" is just instructing the ASA to "treat" the packets as FTP
packets. Yes, by defauly FTP control packets are expected on TCP port 21. But,
in this case, you are telling the ASA to expect FTP packets on port 21021 and
to
perform FTP inspection on those FTP packets.
If you actually go ahead and send FTP traffic on port 21021, you will notice
that the ASA inspects that FTP traffic. As kings said, instead of "inspect ftp"
, if you had specified "inspect http", it would not work. That's because the
ASA
would now be expecting HTTP traffic to arrive on port 21021, whereas you are
actually sending FTP traffic.
Remember, by default the ASA will look for FTP traffic in port 21. But in this
case, you are instructing to ASA to treat the packets arriving on port 21021 as
FTP traffic too.
Please let me know if i'm addressing your doubt?
Cheers,
TacACKH
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
