topic FTP inspection in Network Security

FTP inspection

Benjamin Saito — Tue, 12 Mar 2019 01:09:15 GMT

Right now I have ftp inspection enabled on an asa 5510 (code version 8.2(5)), is it possible to disable that for just a specific interface or does it only a global command? Thanks in advance!

--Ben

FTP inspection

jocamare — Mon, 04 Mar 2013 16:29:43 GMT

Depending on the setup it can be approached in two different ways.

If the traffic will only flow between two interfaces then we can create two specific policy-maps, one per interface, and have the same rules we have globally, except for the FTP inspection.

The other solution, that works with few or many interfaces, will be to use an Access-list to match the traffic we want to be inspected.

When using the Access-lists we can define a deny statement for the FTP traffic, which is translated as "don't inspect this" and keep the FTP inspection globally in case there's some traffic in need for it.

Access-list inspection deny ip eq ftp

Access-list inspection permit ip any any

class-map inspection_default

no match default-inspection-traffic

match access-list inspection

May i ask, why do you want to disable the FTP inspection?

FTP inspection

Benjamin Saito — Mon, 04 Mar 2013 19:10:28 GMT

I was disabling ftp inspection for a customer that is trying to use ftps. I disabled it and it was working, however other customers ftp sites are not working now. So I guess what I have to do is the second option you listed because there are a few interfaces on this firewall.

Can you explain to me what these commands do?

class-map inspection_default

no match default-inspection-traffic

match access-list inspection

Thanks

FTP inspection

jocamare — Mon, 04 Mar 2013 19:14:33 GMT

Class-map inspection_default ---Default class-map

no match default-inspection-traffic --Current configuration, matches based on the protocol

match access-list inspection --Matches based on IP addresses

FTP inspection

Benjamin Saito — Mon, 04 Mar 2013 20:54:00 GMT

Forgive me if I am asking obvious questions, I've never configured a policy map before. Basically I have several interface on a shared firewall, and one interface needs ftp inspection turned off. Will your first option work for that? Just create a seperate service policy rule for that specific interface? I am going through the asdm and adding one but am a little uneasy about applying it because I don't want this to effect all the other interface. If I create a new service policy then that won't effect the global policy that is already in place will it?

Thanks!

FTP inspection

jocamare — Mon, 04 Mar 2013 21:05:55 GMT

The first suggested solution was suggested just by the mere fact that it's an option.

The configuration is based on the interfaces but it requires more configuration than the second option.

So, let's stick to the second one.

By default the ASA has this configuration:

Class-map inspection_default

match default-inspection-traffic

It's applied globally and works for most of the traffic because it matches based on the protocol [L4]

Now, this option matches based on the IP address of the packet instead of the interface.

By using the Access-list and its "deny" statement we can exclude the ASA to match the traffic agains the inspection policies.

So basically, we can use a "deny" statement for all the traffic that comes from a specific interface and a "permit" to match the rest.

That's what the Access-list does.

Then the class-map will just be the link between the Access-list and the policy-map that is applied globally.

Hope it all made sense.

FTP inspection

Benjamin Saito — Mon, 04 Mar 2013 21:22:13 GMT

Well I already had the service policy created for the specific interface, I just hadn't applied it yet because I wasn't sure if it would mess with all the other interfaces (default global policy is still there).

In the second option you listed, I am confused about these commands:

Access-list inspection deny ip eq ftp

Access-list inspection permit ip any any

Will this disallow all traffic over port 21?

FTP inspection

jocamare — Mon, 04 Mar 2013 21:45:13 GMT

For the fist option you will have to apply a service-policy on both [incoming & outgoing] interfaces.

With the second option, using Access-lists,

Access-list inspection deny ip eq ftp

The "source IP" section represents the traffic you don't want to inspect.

The "dst IP" command represents the destination of the traffic you don't want to be inspected, it will normally be "any"

The "eq ftp" means that only the ftp traffic from these sources won't be inspected, the rest of the traffic will.

Finally, the Access-list inspection permit ip any any statement is making sure that the rest of traffic, including the one from other interfaces, will be matched against the policies and its traffic inspected.

FTP inspection

Benjamin Saito — Mon, 04 Mar 2013 21:51:27 GMT

Thanks for all the information. The customer I was going to do this for no longer needs it done, ftp and ftps is working for him now. I am sure I will have to refer to this information sometime in the future. Thanks again.

FTP inspection

Benjamin Saito — Mon, 04 Mar 2013 22:10:13 GMT

I spoke too soon. They still need it set up. I will give it a shot tomorrow and let you know how it goes. Just to make sure, running the "no match default-inspection-traffic" command will not have any effect on the default global policy that's already in place?

FTP inspection

jocamare — Mon, 04 Mar 2013 22:12:15 GMT

It won't have any negative effect, it will just remove that as matching parameter to use the Access-lists instead.

FTP inspection

Benjamin Saito — Mon, 04 Mar 2013 22:16:04 GMT

I understand, this poarticular customer doesn't have a list of source ip's that will be connecting to the server. Will this configuration work then:

Access-list inspection deny ip any "server ip" eq ftp

Access-list inspection permit ip any any

FTP inspection

jocamare — Mon, 04 Mar 2013 22:17:59 GMT

Great, looks like you get it now.

Yes, that setup will work too.

Re: FTP inspection

Benjamin Saito — Tue, 05 Mar 2013 15:22:43 GMT

I ran into a bit of a problem, I created the access list, put the correct rules in but I got this error when i put in the "match access-list inspection" command:

"This match command is not allowed in a class-map that is associated to multiple inspect commands."

I ran the commands in the order you listed above and I got the error above. If I run the "match access-list inpection" first it accepts the command but then will not allow me to run the "no match default-inspection-traffic" command. It will give me this error:

"ERROR: Removing 'match default-inspection-traffic' is not allowed when class-map is being used for more than one 'inspect' command."

This is the output on the cli i am getting now:

class-map inspection_default

match access-list inspection

match default-inspection-traffic

Is this acceptable? Will all traffic use the access-list now instead of the default-inspection-traffic?

Thanks

Re: FTP inspection

jocamare — Tue, 05 Mar 2013 18:13:14 GMT

If you leave it like that it will still match packets either based on the protocol or the IP addresss. So it won't work for what we want.

We will need to copy the output of the "show run policy" command because we are going to remove the class-map that is associated with it and its inspection commands in order to be able to match the Access-list.

This is an example of what you will have to do:

1- Show run policy

output

-----------

policy-map global_policy

class inspection_default

inspect icmp

inspect http

inspect ftp

2- policy-map global_policy

no class inspection_default

3-class inspection_default

match access-list inspection

4- policy-map global_policy

class inspection_default

inspect icmp

inspect http

inspect ftp

Re: FTP inspection

Benjamin Saito — Fri, 08 Mar 2013 17:23:19 GMT

I didn't perform the step above, at the moment this is what I have on the firewall:

class-map inspection_default

match access-list inspection

match default-inspection-traffic

Everything seems to be working so I am not going to change anything. Thanks again for your help!

Re: FTP inspection

jocamare — Fri, 08 Mar 2013 18:42:51 GMT

On the class-map it matches the Access-list first and will not get the to the "match default-inspection-traffic" so it's like it isn't even there.

Suggested steps were in order to have a clear configuration, glad it works.