07-10-2007 06:05 AM - edited 03-11-2019 03:42 AM
I am migrating from the PIX to the ASA platform. We use non-standard ports for the FTP application. This was easy enough to handle on the PIX with the "fixup protocol ftp 'port#'" command.
I need the ASA to inspect FTP Application traffic and using non standard ports, but it is unclear to me how to be sure the ASA is treating a matched class as an FTP application thus creating the second data port.
Can anybody offer an example config that would acomplish this?
Solved! Go to Solution.
07-10-2007 08:39 AM
Hi there ..
I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121
access-list ftp_traffic extended permit tcp any any eq 21
access-list ftp_traffic extended permit tcp any any eq 2121
class-map ftp-class
match access-list ftp_traffic
policy-map global_policy
class ftp-class
inspect ftp
service-policy global_policy global
In defining access-list, we define our interesting traffic.
In class-map, we create a class for ftp traffic.
Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.
Last using the service-policy command, we actually apply this policy.
Hope this helps.
Regards,
Vibhor.
07-10-2007 08:39 AM
Hi there ..
I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121
access-list ftp_traffic extended permit tcp any any eq 21
access-list ftp_traffic extended permit tcp any any eq 2121
class-map ftp-class
match access-list ftp_traffic
policy-map global_policy
class ftp-class
inspect ftp
service-policy global_policy global
In defining access-list, we define our interesting traffic.
In class-map, we create a class for ftp traffic.
Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.
Last using the service-policy command, we actually apply this policy.
Hope this helps.
Regards,
Vibhor.
07-10-2007 10:14 AM
Excellent. Thank you for clearing that up. The part I was unsure of was how the matched traffic was inspected as an FTP application. You cleared that up very nicely.
Thanks again for the help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: