ASA FTP Application inspection

Unanswered Question
Apr 27th, 2010
User Badges:
I am doing ftp application inspection on a traffic  that matches ACL ( permit statement) src dst host.
This part works  fine.
However, I want to exclude group of hosts from being inspected  by my own policy and I want them to use a
global one. I am  accomplishing this by using the same ACL as above but I put deny  statement for hosts that
I do not wish to go through my custom  inspection.
This breaks. I even know why but I am not sure how to fix  it.


Here is my config:


# I do not want this traffic to  be inspected bymy custom policy
access-list  FTP extended deny tcp any host 99.99.99.99 eq ftp
# I want  this traffic to be inspected
access-list  FTP extended permit tcp any any eq ftp


#this is  application inspection class-map that looks for put commands in ftp
class-map type inspect ftp match-any  FTP-PUT-CLASS-MAP
match  request-command put


#now policy map to perform action when  put command is found:
policy-map  type inspect ftp FTP-PUT-POLICY-MAP
parameters
class  FTP-PUT-CLASS-MAP
reset log


# and now match layer 3  and 4 traffic from the acl and apply application inspection :


class-map FTP-CLASS
match access-list  FTP


# and put it into layer 3 policy:
policy-map MY-POLICY
class FTP-CLASS
inspect ftp strict FTP-PUT-POLICY-MAP


#last but not least  : apply MY-POLICY to the interface:
service-policy  MY-POLICY interface inside


#I also have a default policy  in place:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect  h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect  sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp

service-policy global_policy global


Now description  of what is happening:
when i initiate traffic on inside interface  going to ftp server and that traffic matches permit tcp any any in the  ACL, everything works fine. I can see packet count in show  service-policy inspect ftp increase, etc...
now when the ftp traffic  matches first ACL statement (deny one), i can ftp to the server but I  cannot do dir or ls
commands. I am getting a message connection  refused. I am getting this message because the traffic that matches deny  statement in my ACL, is not going through any ftp inspection at all,  therefore, firewall does not know that it has to allow second data  connection between ftp client and a server.
I was wondering how come  global_policy does not inspect this traffic instead:
This is what I  would like to see:
traffic matched and permitted in my FTP ACL  should be inspected by my custom policy
traffic matched and  denied in my FTP ACL should not be inspected by my policy and should be  picked up by a global policy that is also present in the config.
Also:
I do not see packet count increase under show service-policy for  global_policy for traffic that has deny statement in my FTP ACL.
Also,  to eliminate all other connectivity/nat/interface ACL issues.  FTP  connection works perfectly fine once I remove service-policy MY-POLICY  interface inside command.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dshroyer19 Tue, 09/28/2010 - 12:40
User Badges:

prekursor - what was the resolution to this issue?  I have a similar scenario.

Rodrigo Gurriti Wed, 04/28/2010 - 07:20
User Badges:

Why don't you put a access-list matching the traffic that you want and add to the global statement ?


access-list  FTP2 extended permit tcp any host 99.99.99.99 eq ftp

access-list  FTP2 extended deny tcp any any eq ftp



class-map global-class

match access-list  FTP2


policy-map global_policy

description FTP2

class global-class
inspect ftp


This way you deny the inspection you created  and you add the other inspection to the global police



Double check my commands above i did by head ... but i guess its right.

Actions

This Discussion