Cisco Systems and the ASA Services Module Manual De Usuario

For connections using a DNS server, the source port of the connection may be replaced by the IP address 
of DNS server in the show conn command output. 

A single connection is created for multiple DNS sessions, as long as they are between the same two 
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and 
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs 
independently. 

Because the app_id expires independently, a legitimate DNS response can only pass through the security 
appliance within a limited period of time and there is no resource build-up. However, when you enter the 
show conn command, you see the idle timer of a DNS connection being reset by a new DNS session. 
This is due to the nature of the shared DNS connection and is by design. 

To display the statistics for DNS application inspection, enter the show service-policy command. The 
following is sample output from the show service-policy command:

ciscoasa# show service-policy

Interface outside:

  Service-policy: sample_policy

    Class-map: dns_port

      Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0

This section describes the FTP inspection engine. This section includes the following topics:

The FTP application inspection inspects the FTP sessions and performs four tasks:

Prepares dynamic secondary data connection

Tracks the FTP command-response sequence

Generates an audit trail

Translates the embedded IP address

FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels 
are negotiated through PORT or PASV commands. The channels are allocated in response to a file 
upload, a file download, or a directory listing event.

If you disable FTP inspection engines with the no inspect ftp command, outbound users can start 
connections only in passive mode, and all inbound FTP is disabled.