From: john matijevic (john.matijevic@gmail.com)
Date: Tue Aug 15 2006 - 09:05:04 ART
sHekHar,
For IOS with CBAC for UDP session timing, it does UDP inspection that works
only for protocols that use a sinlge client host/port pair and a single
server host/port/piar. It creates a channel in response to the first packet
the client sends to the server and leaves it open until the inactivity timer
expires.
As far as the pix the ASA creates a connection slot based on the source and
desitnation ip address and port numbers and allows the connection goes
throught until the idle timer expires.
Hopefully that helps clarify,
Sincerely,
John
On 8/15/06, V Shekhar <vshekhar25@yahoo.com> wrote:
>
> Not sure if i understood the question correctly, but i thought the
> advantage of using PIX over IOS ACLs.
>
> AFAIK, IOS ACLs do not maintain state information, they do a lookup for
> each and every packet they recieve. (Unless using CBAC).
> But with PIX they maintain state even for UDP traffic by approximating
> them.
> This results in a better performance.
> -sHekHar.
>
>
>
>
> ----- Original Message ----
> From: 2nd CCIE <doubleccie@yahoo.com>
> To: ccielab@groupstudy.com; security@groupstudy.com
> Sent: Tuesday, August 15, 2006 1:20:50 PM
> Subject: UDP and PIX
>
> I just wonder if anyone can clarify this question for me
> what the advantage of using PIX instead of ACL for the UDP traffic ?
>
> appreciate the help
>
>
> ---------------------------------
> Stay in the know. Pulse on the new Yahoo.com. Check it out.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART