Cisco ASA Series Cli Configuration Manual page 1116
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
FTP Inspection
For connections using a DNS server, the source port of the connection may be replaced by the IP address
of DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, when you enter the
show conn command, you see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.
To display the statistics for DNS application inspection, enter the show service-policy command. The
following is sample output from the show service-policy command:
hostname# show service-policy
Interface outside:
Service-policy: sample_policy
FTP Inspection
This section describes the FTP inspection engine. This section includes the following topics:
•
•
•
•
FTP Inspection Overview
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
•
•
•
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.
Note
If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
connections only in passive mode, and all inbound FTP is disabled.
Cisco ASA Series CLI Configuration Guide
1-10
Class-map: dns_port
Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0
FTP Inspection Overview, page 1-10
Using the strict Option, page 1-11
Configuring an FTP Inspection Policy Map for Additional Inspection Control, page 1-12
Verifying and Monitoring FTP Inspection, page 1-15
Prepares dynamic secondary data connection
Tracks the FTP command-response sequence
Generates an audit trail
Translates the embedded IP address
Chapter 1
Configuring Inspection of Basic Internet Protocols
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
