Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Fixup to ASA Inspect

I am migrating from the PIX to the ASA platform. We use non-standard ports for the FTP application. This was easy enough to handle on the PIX with the "fixup protocol ftp 'port#'" command.

I need the ASA to inspect FTP Application traffic and using non standard ports, but it is unclear to me how to be sure the ASA is treating a matched class as an FTP application thus creating the second data port.

Can anybody offer an example config that would acomplish this?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: PIX Fixup to ASA Inspect

Hi there ..

I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121

access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121

class-map ftp-class

match access-list ftp_traffic

policy-map global_policy

class ftp-class

inspect ftp

service-policy global_policy global

In defining access-list, we define our interesting traffic.

In class-map, we create a class for ftp traffic.

Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.

Last using the service-policy command, we actually apply this policy.

Hope this helps.

Regards,

Vibhor.

2 REPLIES
Silver

Re: PIX Fixup to ASA Inspect

Hi there ..

I'm assuming that you have FTP control channel traffic on port 21 and 2121, for this, you can use following commands to fixup ftp traffic on ports 21 & 2121

access-list ftp_traffic extended permit tcp any any eq 21

access-list ftp_traffic extended permit tcp any any eq 2121

class-map ftp-class

match access-list ftp_traffic

policy-map global_policy

class ftp-class

inspect ftp

service-policy global_policy global

In defining access-list, we define our interesting traffic.

In class-map, we create a class for ftp traffic.

Then we define the policy for ftp-class traffic, policy is to inspect it based on ftp inspection engine.

Last using the service-policy command, we actually apply this policy.

Hope this helps.

Regards,

Vibhor.

New Member

Re: PIX Fixup to ASA Inspect

Excellent. Thank you for clearing that up. The part I was unsure of was how the matched traffic was inspected as an FTP application. You cleared that up very nicely.

Thanks again for the help.

2205
Views
10
Helpful
2
Replies