PIX Fixup to ASA Inspect

Answered Question

I am migrating from the PIX to the ASA platform. We use non-standard ports for the FTP application. This was easy enough to handle on the PIX with the "fixup protocol ftp 'port#'" command.


I need the ASA to inspect FTP Application traffic and using non standard ports, but it is unclear to me how to be sure the ASA is treating a matched class as an FTP application thus creating the second data port.


Can anybody offer an example config that would acomplish this?

Correct Answer by vitripat about 9 years 10 months ago

Hi there ..


I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121


access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121


class-map ftp-class

match access-list ftp_traffic


policy-map global_policy

class ftp-class

inspect ftp


service-policy global_policy global


In defining access-list, we define our interesting traffic.


In class-map, we create a class for ftp traffic.


Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.


Last using the service-policy command, we actually apply this policy.


Hope this helps.


Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
vitripat Tue, 07/10/2007 - 08:39
User Badges:
  • Gold, 750 points or more

Hi there ..


I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121


access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121


class-map ftp-class

match access-list ftp_traffic


policy-map global_policy

class ftp-class

inspect ftp


service-policy global_policy global


In defining access-list, we define our interesting traffic.


In class-map, we create a class for ftp traffic.


Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.


Last using the service-policy command, we actually apply this policy.


Hope this helps.


Regards,

Vibhor.

Actions

This Discussion