Multi-Channel Protocol Inspection
Unlike the single-channel protocols discussed earlier, multi-channel protocols require you to configure for inspection on the application layer protocol. For example, if you inspect only TCP for FTP connection, the control channel becomes built up, because FTP is a TCP protocol. However, the data channel may not become built up because it depends on the port negotiation using the control channel, and if only TCP is inspected, CBAC does not watch the payload of the packet to gain knowledge of this port negotiation.
Hence, the TCP engine will not have any knowledge about the port and IP address information negotiated and agreed upon by the FTP client and server to build up the data channel. Consequently, CBAC does not open any hole on the ACL. So, if the data connection is initiated from outside, it will be dropped. Therefore, to inspect the payload and get all the necessary information for the data channel, you need to inspect the application layer protocol, which is in this case ip inspect name myfw FTP. Note that application inspection takes precedence over Layer 4 protocol inspection. In the example, because you inspect FTP protocol, you do not need inspection for TCP protocol. However if you inspect both TCP and FTP, only the FTP inspection engine is used, not TCP.
The section that follows discusses some of the important security services available for both single- and multi-channel protocols.