I am doing ftp application inspection on a traffic that matches ACL ( permit statement) src dst host. This part works fine. However, I want to exclude group of hosts from being inspected by my own policy and I want them to use a global one. I am accomplishing this by using the same ACL as above but I put deny statement for hosts that I do not wish to go through my custom inspection. This breaks. I even know why but I am not sure how to fix it.Here is my config:# I do not want this traffic to be inspected bymy custom policy access-list FTP extended deny tcp any host 18.104.22.168 eq ftp # I want this traffic to be inspected access-list FTP extended permit tcp any any eq ftp #this is application inspection class-map that looks for put commands in ftp class-map type inspect ftp match-any FTP-PUT-CLASS-MAP match request-command put#now policy map to perform action when put command is found: policy-map type inspect ftp FTP-PUT-POLICY-MAP parameters class FTP-PUT-CLASS-MAP reset log# and now match layer 3 and 4 traffic from the acl and apply application inspection :class-map FTP-CLASS match access-list FTP# and put it into layer 3 policy: policy-map MY-POLICY class FTP-CLASS inspect ftp strict FTP-PUT-POLICY-MAP#last but not least : apply MY-POLICY to the interface: service-policy MY-POLICY interface inside#I also have a default policy in place: policy-map global_policy class inspection_default inspect dns preset_dns_map inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ftp
service-policy global_policy globalNow description of what is happening: when i initiate traffic on inside interface going to ftp server and that traffic matches permit tcp any any in the ACL, everything works fine. I can see packet count in show service-policy inspect ftp increase, etc... now when the ftp traffic matches first ACL statement (deny one), i can ftp to the server but I cannot do dir or ls commands. I am getting a message connection refused. I am getting this message because the traffic that matches deny statement in my ACL, is not going through any ftp inspection at all, therefore, firewall does not know that it has to allow second data connection between ftp client and a server. I was wondering how come global_policy does not inspect this traffic instead: This is what I would like to see: traffic matched and permitted in my FTP ACL should be inspected by my custom policy traffic matched and denied in my FTP ACL should not be inspected by my policy and should be picked up by a global policy that is also present in the config. Also: I do not see packet count increase under show service-policy for global_policy for traffic that has deny statement in my FTP ACL. Also, to eliminate all other connectivity/nat/interface ACL issues. FTP connection works perfectly fine once I remove service-policy MY-POLICY interface inside command.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :