I am migrating from the PIX to the ASA platform. We use non-standard ports for the FTP application. This was easy enough to handle on the PIX with the "fixup protocol ftp 'port#'" command.
I need the ASA to inspect FTP Application traffic and using non standard ports, but it is unclear to me how to be sure the ASA is treating a matched class as an FTP application thus creating the second data port.
Can anybody offer an example config that would acomplish this?
Hi there ..
I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121
access-list ftp_traffic extended permit tcp any any eq 21
access-list ftp_traffic extended permit tcp any any eq 2121
match access-list ftp_traffic
service-policy global_policy global
In defining access-list, we define our interesting traffic.
In class-map, we create a class for ftp traffic.
Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.
Last using the service-policy command, we actually apply this policy.
Hope this helps.