cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2556
Views
10
Helpful
2
Replies

PIX Fixup to ASA Inspect

jimb
Level 1
Level 1

I am migrating from the PIX to the ASA platform. We use non-standard ports for the FTP application. This was easy enough to handle on the PIX with the "fixup protocol ftp 'port#'" command.

I need the ASA to inspect FTP Application traffic and using non standard ports, but it is unclear to me how to be sure the ASA is treating a matched class as an FTP application thus creating the second data port.

Can anybody offer an example config that would acomplish this?

1 Accepted Solution

Accepted Solutions

vitripat
Level 7
Level 7

Hi there ..

I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121

access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121

class-map ftp-class

match access-list ftp_traffic

policy-map global_policy

class ftp-class

inspect ftp

service-policy global_policy global

In defining access-list, we define our interesting traffic.

In class-map, we create a class for ftp traffic.

Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.

Last using the service-policy command, we actually apply this policy.

Hope this helps.

Regards,

Vibhor.

View solution in original post

2 Replies 2

vitripat
Level 7
Level 7

Hi there ..

I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121

access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121

class-map ftp-class

match access-list ftp_traffic

policy-map global_policy

class ftp-class

inspect ftp

service-policy global_policy global

In defining access-list, we define our interesting traffic.

In class-map, we create a class for ftp traffic.

Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.

Last using the service-policy command, we actually apply this policy.

Hope this helps.

Regards,

Vibhor.

Excellent. Thank you for clearing that up. The part I was unsure of was how the matched traffic was inspected as an FTP application. You cleared that up very nicely.

Thanks again for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: