Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2565
Views
10
Helpful
2
Replies

PIX Fixup to ASA Inspect

Go to solution
jimb
Level 1
Level 1

‎07-10-2007 06:05 AM - edited ‎03-11-2019 03:42 AM

I am migrating from the PIX to the ASA platform. We use non-standard ports for the FTP application. This was easy enough to handle on the PIX with the "fixup protocol ftp 'port#'" command.

I need the ASA to inspect FTP Application traffic and using non standard ports, but it is unclear to me how to be sure the ASA is treating a matched class as an FTP application thus creating the second data port.

Can anybody offer an example config that would acomplish this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vitripat
Level 7
Level 7

‎07-10-2007 08:39 AM

Hi there ..

I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121

access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121

class-map ftp-class

match access-list ftp_traffic

policy-map global_policy

class ftp-class

inspect ftp

service-policy global_policy global

In defining access-list, we define our interesting traffic.

In class-map, we create a class for ftp traffic.

Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.

Last using the service-policy command, we actually apply this policy.

Hope this helps.

Regards,

Vibhor.

View solution in original post

2 Replies 2

Go to solution
vitripat
Level 7
Level 7

‎07-10-2007 08:39 AM

Hi there ..

I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121

access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121

class-map ftp-class

match access-list ftp_traffic

policy-map global_policy

class ftp-class

inspect ftp

service-policy global_policy global

In defining access-list, we define our interesting traffic.

In class-map, we create a class for ftp traffic.

Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.

Last using the service-policy command, we actually apply this policy.

Hope this helps.

Regards,

Vibhor.

Go to solution
jimb
Level 1
Level 1
In response to vitripat

‎07-10-2007 10:14 AM

Excellent. Thank you for clearing that up. The part I was unsure of was how the matched traffic was inspected as an FTP application. You cleared that up very nicely.

Thanks again for the help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card