topic Disable 'Inspect FTP' for one flow in Network Security

Disable 'Inspect FTP' for one flow

Infrastructure Group — Mon, 11 Mar 2019 18:53:42 GMT

Hi everybody,

I have the global service policy enabled on my internet ASA5510:

class-map global-class match default-inspection-traffic

policy-map global-policy class global-class inspect ftp

inspect http

inspect bla bla..

I just wanna disable the inspect FTP for tone connection between two IP addresses. I configured a new service policy for that connection where there is no inspect FTP allowed. Is that correct?

Thanks.

Re: Disable 'Inspect FTP' for one flow

praprama — Wed, 13 Oct 2010 07:11:07 GMT

Hi,

What you can do is remove inspect ftp that you have configured already. then create an access-list denying the traffic you do not want to be inspected and "permit ip any any" following that. Specify this class-map under the global_policy and put it an "inspect ftp" over there. Let me know if this works!

Thanks and Regards,

Prapanch

Re: Disable 'Inspect FTP' for one flow

Panos Kampanakis — Wed, 13 Oct 2010 18:14:04 GMT

To put Prapanch suggestion in CLI commands

---

access-list ftp-acl deny tcp eq 21

access-list ftp-acl permit tcp any any eq 21

class-map ftp-cm

match access-l ftp-acl

policy-map global-policy

class ftp-cm

inspect ftp

class global-class

inspect http

inspect bla bla

---

I hope it helps.

Re: Disable 'Inspect FTP' for one flow

Infrastructure Group — Thu, 14 Oct 2010 23:29:38 GMT

Thanks guys. Appreciated.

I'm gonna test it by the next mid-week.

cheers

Re: Disable 'Inspect FTP' for one flow

Panos Kampanakis — Fri, 15 Oct 2010 03:56:13 GMT

After you do, feel free to come back and rate the thread for others' future benefit.