To deny FTP upload but at the sametime allow download.

Document

Nov 27, 2009 6:39 AM
Nov 27th, 2009

Aim:

To deny FTP upload but at the sametime allow download.

Topology:

Image.JPG

Configuration:

1.

Create a class-map of inspect ftp type:

ASA-5510-8x(config)# class-map type inspect ftp match-all FTP_CLASS
ASA-5510-8x(config-cmap)# match request-command put
ASA-5510-8x(config-cmap)# exit

2. Create a policy-map of ftp type and call the above class in it, set the action to reset and log the packet(optional):

ASA-5510-8x(config)# policy-map type inspect ftp FTP_POLICY
ASA-5510-8x(config-pmap)# class FTP_CLASS
ASA-5510-8x(config-pmap-c)# reset log
ASA-5510-8x(config-pmap-c)# exit
ASA-5510-8x(config-pmap)# exit

Create a normal policy-map and call the default inspection class, class the above policy-map of ftp type and apply the inspection for ftp with strict option

ASA-5510-8x(config)# policy-map FTP_POLICY_1
ASA-5510-8x(config-pmap)# class inspection_default
ASA-5510-8x(config-pmap-c)# inspect ftp strict FTP_POLICY
ASA-5510-8x(config-pmap-c)# exit
ASA-5510-8x(config-pmap)# exit

Now, apply the policy on inside interface:

ASA-5510-8x(config)# service-policy FTP_POLICY_1 interface inside

Introduction to Cisco ASA:

Average Rating: 5 (1 ratings)

Actions

Login or Register to take actions

This Document

Posted November 27, 2009 at 6:39 AM
Stats:
Comments:0 Avg. Rating:5
Views:2481 Contributors:0
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 139
2 90
3 75
4 55
5 48
Rank Username Points
5