I am doing ftp application inspection on a traffic that matches ACL ( permit statement) src dst host.
This part works fine.
However, I want to exclude group of hosts from being inspected by my own policy and I want them to use a
global one. I am accomplishing this by using the same ACL as above but I put deny statement for hosts that
I do not wish to go through my custom inspection.
This breaks. I even know why but I am not sure how to fix it.
Here is my config:
# I do not want this traffic to be inspected bymy custom policy
access-list FTP extended deny tcp any host 99.99.99.99 eq ftp # I want this traffic to be inspected
access-list FTP extended permit tcp any any eq ftp #this is application inspection class-map that looks for put commands in ftp
class-map type inspect ftp match-any FTP-PUT-CLASS-MAP match request-command put#now policy map to perform action when put command is found:
policy-map type inspect ftp FTP-PUT-POLICY-MAP
parameters
class FTP-PUT-CLASS-MAP
reset log# and now match layer 3 and 4 traffic from the acl and apply application inspection :
class-map FTP-CLASS
match access-list FTP# and put it into layer 3 policy:
policy-map MY-POLICY
class FTP-CLASS
inspect ftp strict FTP-PUT-POLICY-MAP#last but not least : apply MY-POLICY to the interface:
service-policy MY-POLICY interface inside#I also have a default policy in place:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
service-policy global_policy globalNow description of what is happening:
when i initiate traffic on inside interface going to ftp server and that traffic matches permit tcp any any in the ACL, everything works fine. I can see packet count in show service-policy inspect ftp increase, etc...
now when the ftp traffic matches first ACL statement (deny one), i can ftp to the server but I cannot do dir or ls
commands. I am getting a message connection refused. I am getting this message because the traffic that matches deny statement in my ACL, is not going through any ftp inspection at all, therefore, firewall does not know that it has to allow second data connection between ftp client and a server.
I was wondering how come global_policy does not inspect this traffic instead:
This is what I would like to see:
traffic matched and permitted in my FTP ACL should be inspected by my custom policy
traffic matched and denied in my FTP ACL should not be inspected by my policy and should be picked up by a global policy that is also present in the config.
Also:
I do not see packet count increase under show service-policy for global_policy for traffic that has deny statement in my FTP ACL.
Also, to eliminate all other connectivity/nat/interface ACL issues. FTP connection works perfectly fine once I remove service-policy MY-POLICY interface inside command.
