Re: Disable 'Inspect FTP' for one flow

Infrastructure Group · ‎10-12-2010

Hi everybody,

I have the global service policy enabled on my internet ASA5510:

class-map global-class match default-inspection-traffic

policy-map global-policy class global-class inspect ftp

inspect http

inspect bla bla..

I just wanna disable the inspect FTP for tone connection between two IP addresses. I configured a new service policy for that connection where there is no inspect FTP allowed. Is that correct?

Thanks.

praprama · ‎10-13-2010

Hi,

What you can do is remove inspect ftp that you have configured already. then create an access-list denying the traffic you do not want to be inspected and "permit ip any any" following that. Specify this class-map under the global_policy and put it an "inspect ftp" over there. Let me know if this works!

Thanks and Regards,

Prapanch

Panos Kampanakis · ‎10-13-2010

To put Prapanch suggestion in CLI commands

---

access-list ftp-acl deny tcp eq 21

access-list ftp-acl permit tcp any any eq 21

class-map ftp-cm

match access-l ftp-acl

policy-map global-policy

class ftp-cm

inspect ftp

class global-class

inspect http

inspect bla bla

---

I hope it helps.

PK

Infrastructure Group · ‎10-14-2010

Thanks guys. Appreciated.

I'm gonna test it by the next mid-week.

cheers

Panos Kampanakis · ‎10-14-2010

After you do, feel free to come back and rate the thread for others' future benefit.

PK