Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to deny certain commands destined to FTP server using ASA.


FTP traffic destined to the FTP server should not be able to execute the following commands:

  1. Put
  2. Rmd
  3. Rnfr
  4. dele


To achieve the desired result following configuration is required using MPF

1. Create a new policy map type with match-request as desired commands and action as reset.

Policy-map type inspect FTP FTPCommands
  Match-request command put rmd rnfr dele

2. Configure a TCP based access-list with source as any and destination as FTP Server with port number 21.

access-list FTP-S permit tcp any host eq 21

3. Now create a new class-map and call the access-list that was configured in step 2

class-map FTP-S
match access-list FTP-S

4. Final step is to call the class-map in global policy for inspection with "strict" option.

policy-map global_policy
class FTP-S
   inspect FTP strict FTPCommands

Assuming that Service policy is already assigned globally, FTP commands will be blocked by ASA now.

Version history
Revision #:
1 of 1
Last update:
‎04-18-2011 12:52 AM
Updated by:
Labels (1)
Everyone's tags (3)