How to restrict FTP commands to allow downloads from certain ftp servers. Default ftp inspection allows all ftp commands and allows all downloads/uploads. If you would like to restrict downloads or uploads to and from certain ftp servers, please refer to following sample configuration.
1.Create an access-list to specify list of IPs where FTP updates are okay:
access-list Test_FTP permit tcp any host 10.1.1.1 eq 21
access-list Test_FTP permit tcp any host 10.1.1.2 eq 21
access-list Test_FTP permit tcp any host 10.1.1.3 eq 21
2.Create a class-map matching the above access-list
match access-list Test_FTP
3. Create a class-map to inspect ftp commands
class-map type inspect ftp match-any FTP-deny-updates
The example only showing ‘get’ command however you can match any ftp commands in the above class-map.
3. Create a matching inspect policy-map to match the above inspect class-map
policy-map type inspect ftp FTP-deny-updates
4. Create a separate interface policy to apply default inspection to allow all FTP commands.
Default FTP inspection will be applied to the matching traffic in access-list created in step # 1 therefore all ftp commands will be allowed.
5. Non matching traffic in step 4 will be applied global default inspection policy with strict FTP inspecton restrictingFTP command Get,
inspect ftp strict FTP-deny-updates
6.Apply the policies to the interfaces,
service-policy interface_policy interface inside
service-policy global_policy interface global
The above configuration will allow FTP downloads from the servers matching in interface policy and will restrict all other FTP downloads matching in the global policy.