×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

To deny FTP upload but at the sametime allow download.

Document

Fri, 11/27/2009 - 07:21
Nov 27th, 2009
User Badges:
  • Cisco Employee,



Aim:



To deny FTP upload but at the sametime allow download.


Topology:


Image.JPG


Configuration:

Create a class-map of inspect ftp type:


ASA-5510-8x(config)# class-map type inspect ftp match-all FTP_CLASS
ASA-5510-8x(config-cmap)# match request-command put
ASA-5510-8x(config-cmap)# exit


Create a policy-map of ftp type and call the above class in it, set the action to reset and log the packet(optional):


ASA-5510-8x(config)# policy-map type inspect ftp FTP_POLICY
ASA-5510-8x(config-pmap)# class FTP_CLASS
ASA-5510-8x(config-pmap-c)# reset log
ASA-5510-8x(config-pmap-c)# exit
ASA-5510-8x(config-pmap)# exit


Create a normal policy-map and call the default inspection class, class the above policy-map of ftp type and apply the inspection for ftp with strict option


ASA-5510-8x(config)# policy-map FTP_POLICY_1
ASA-5510-8x(config-pmap)# class inspection_default
ASA-5510-8x(config-pmap-c)# inspect ftp strict FTP_POLICY
ASA-5510-8x(config-pmap-c)# exit
ASA-5510-8x(config-pmap)# exit


Now, apply the policy on inside interface:


ASA-5510-8x(config)# service-policy FTP_POLICY_1 interface inside


Introduction to Cisco ASA:



Loading.

Actions

This Document

Related Content