Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to deny certain commands destined to FTP server using ASA.

Issue:


FTP traffic destined to the FTP server should not be able to execute the following commands:

  1. Put
  2. Rmd
  3. Rnfr
  4. dele


Resolution:


To achieve the desired result following configuration is required using MPF


1. Create a new policy map type with match-request as desired commands and action as reset.


Policy-map type inspect FTP FTPCommands
  Match-request command put rmd rnfr dele
     Reset


2. Configure a TCP based access-list with source as any and destination as FTP Server with port number 21.


access-list FTP-S permit tcp any host 192.1.22.221 eq 21


3. Now create a new class-map and call the access-list that was configured in step 2


class-map FTP-S
match access-list FTP-S


4. Final step is to call the class-map in global policy for inspection with "strict" option.


policy-map global_policy
class FTP-S
   inspect FTP strict FTPCommands


Assuming that Service policy is already assigned globally, FTP commands will be blocked by ASA now.

Version history
Revision #:
1 of 1
Last update:
‎04-18-2011 12:52 AM
Updated by:
 
Labels (1)
Everyone's tags (3)