The wrong Cut & Paste in this discussion but the running-configuration in the ASA is correct and that the reson why I must ask expert team Thanks

Hello,

Can you try the following:

class-map type regex match-any deny_files
match filename regex REG_C26XX
match filename regex REG_C28XX

Hope this helps.

Regards,

NT

Hello,

I did it in this case before by created access-list with range port 21 22 but I am still got the same issue. You can try

regards,

Hi,

What kind of FTP connection are you testing using? Active or Passive? If it's Active then access-list on pirt 20 makes sense. But if you are trying using passive FTP, the data connection will be on a random negotiated port. That is why i had suggested an access-list with all TCP traffic to the FTP server without an ports as below:

access-list FTP match tcp any host a.b.c.d

class-map FTP

no  match port tcp eq ftp

match access-list FTP

Please try this out and see if it works. Also, please paste the output of show service-policy.

Regards,

Prapanch

Hello Prapanch,

Client-------------(out)(ASA)(dmz)-------------FTP_Server

FTP_Srv (support both Act/Pass Mode):

For Active Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------DATA OK Port:2030-------->

DATA Port: 2030  <-----------Data Channel--------------- DATA PORT:20

For Passive Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------Passive OK Port:2020--------

  DATA Port:2030  -----------Data Channel---------------> DATA PORT:2020

As my understanding, The ASA is stateful inspection/Multi-packets technology and I think that the ASA is enough smart to inspect sub-connection   and As your mentioned I must create access-list to classify once again for Data Channel in the both Active/Passive mode in this case. It seem the best answer , and I will do it tomorrow and give the result to you. Thank you very much

Regards,

Tran

Hello Prapanch,

Client-------------(out)(ASA)(dmz)-------------FTP_Server

FTP_Srv (support both Act/Pass Mode):

For Active Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------DATA OK Port:2030-------->

DATA Port: 2030  <-----------Data Channel--------------- DATA PORT:20

For Passive Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------Passive OK Port:2020--------

  DATA Port:2030  -----------Data Channel---------------> DATA PORT:2020

As  my understanding, The ASA is stateful inspection/Multi-packets  technology and I think that the ASA is enough smart to inspect  sub-connection

and As your mentioned I must create access-list to classify once again  for Data Channel in the both Active/Passive mode in this case.

access-list FTP match tcp any host a.b.c.d

class-map FTP

no  match port tcp eq ftp

match access-list FTP

As your mentioned, I did it:

access-list FTP permit tcp any any (for test deep inspection in this case)

class-map FTP

no match port tcp eq ftp

match access-list FTP

!

It didn't work correctly

ASA# sh service-policy interface outside ins ftp

Interface outside:
  Service-policy: outside
    Class-map: http_from_outside
    Class-map: FTP
      Inspect: ftp strict ftp_inspect, packet 316, drop 76, reset-drop 0
               Retx cmd in cmd mode drop        64
               Cmd in reply mode drop           12
        mask-banner enabled
        mask-syst-reply enabled
        match filename regex class deny_files  --------------> didn't see packets
          reset log, packet 0
        class deny_commands
          reset, packet 0
    Class-map: smtp_server
ASA#

regards,

Tran

Hey Tran,

Just wanted to confirm. Have you tested the filename c2600.bin agains the regex you have configured? Also, please try testing the filename c2600 against the regex configured. Just wanna ocnfirm we have the regex configured right.

Also, can you please get the captures of the entire FTP session in a .pcap format from the ASA? Would like to see the exact parameters being sent by the client. For configuring captures, pelase refer the below document:

https://supportforums.cisco.com/docs/DOC-1222

Thanks and Regards,

Prapanch

Hey,

The reason could be because of the below config:

class-map FTP
match port tcp eq ftp

policy-map outside

class FTP

  inspect ftp strict  ftp_inspect

So in the above case, we are matching traffic on port TCP/21 (due to the command match port tcp eq ftp). All the filenames and commands will i guess be exchanged in the "data connection" and not in the "control connection" which is TCP/21. The port for data connection depends on what type of FTP we are using, that is, active or passive. So the best option is to apply an access-list to the FTP server.

Try changing the config to something like below:

Assuming the FTP server's IP address is a.b.c.d

access-list FTP match tcp any host a.b.c.d

class-map FTP

no match port tcp eq ftp

match access-list FTP

Try this out and let me know how it goes!!

Regards,

Prapanch

Hello,

The keyword "filename" didn't see in the syntax: class-map type regex match-any deny_files

Regards,

Tran

Can you guys tell me what is C26, C28. I am not able to find anything on the web with that reference. Is it something to do with file names??

Thanks!