Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting FTP downloads using MPF on ASA/PIX/FWSM

Issue:

How to restrict FTP commands to allow downloads from certain ftp servers. Default ftp inspection allows all ftp commands and allows all downloads/uploads. If you would like to restrict downloads or uploads to and from certain ftp servers, please refer to following sample configuration.

Solution:

1.  Create an access-list to specify list of IPs where FTP updates are okay:

access-list Test_FTP permit tcp any host 10.1.1.1 eq 21

access-list Test_FTP permit tcp any host 10.1.1.2 eq 21

access-list Test_FTP permit tcp any host 10.1.1.3 eq 21

2.  Create a class-map matching the above access-list

class-map Test_FTP

match access-list Test_FTP

3. Create a class-map to inspect ftp commands


class-map type inspect ftp match-any FTP-deny-updates

match request-command  get


The example only showing ‘get’ command however you can match any ftp commands in the above class-map.


3. Create a matching inspect policy-map to match the above inspect class-map


policy-map type inspect ftp FTP-deny-updates

parameters

class FTP-deny-updates

  reset log


4. Create a separate interface policy to apply default inspection to allow all FTP commands.


policy-map interface-policy

class Test_FTP

  inspect ftp


Default FTP inspection will be applied to the matching traffic in access-list created in step # 1 therefore all ftp commands will be allowed.


5. Non matching traffic in step 4 will be applied global default inspection policy with strict FTP inspecton restricting  FTP command Get,


policy-map global_policy

class inspection-default

  inspect ftp strict FTP-deny-updates


6.  Apply the policies to the interfaces,


service-policy interface_policy interface inside

service-policy global_policy interface global



Conclusion:


The above configuration will allow FTP downloads from the servers matching in interface policy and will restrict all other FTP downloads matching in the global policy.

528
Views
0
Helpful
0
Comments