Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 8. Advanced Protocol Handling an... > Problems with Advanced Protocols and...

Problems with Advanced Protocols and ASA

Several advanced protocols, including FTP, cause problems when trying to traverse across the PIX firewall. The problems arise when traffic on the outside client or server wants to send traffic to the inside, higher-security interfaces; this traffic is often unsolicited from the perspective of standard ASA. Normally, traffic flow is in response to a client's request and returns on the same source port on which the client request was sent. The ASA sees this normal request and opens a connection slot for the return traffic. Some advanced protocols respond or send data to the client on port numbers other than the ports in the source header, and this causes a problem for the normal ASA engine.

For example, if Jack is trying to download information from an FTP site using standard mode, he notifies the FTP server that his port—for example, 3002—is available to receive the data. The requested port 3002 is not in the normal source port header location but in the data portion of the packet. Because the ASA normally monitors the source port header and not the data portion, the connection slot is not made. As the FTP server starts to send data to Jack's port (3002), the PIX drops the packets because ASA never created a connection slot for the returning traffic.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free 10-Day Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint