I was disabling ftp inspection for a customer that is trying to use ftps. I disabled it and it was working, however other customers ftp sites are not working now. So I guess what I have to do is the second option you listed because there are a few interfaces on this firewall.

Can you explain to me what these commands do?

class-map inspection_default

no  match default-inspection-traffic

match access-list inspection

Thanks

Class-map inspection_default             ---Default class-map

no  match default-inspection-traffic   --Current configuration, matches based on the protocol

match access-list inspection               --Matches based on IP addresses

Forgive me if I am asking obvious questions, I've never configured a policy map before. Basically I have several interface on a shared firewall, and one interface needs ftp inspection turned off. Will your first option work for that? Just create a seperate service policy rule for that specific interface? I am going through the asdm and adding one but am a little uneasy about applying it because I don't want this to effect all the other interface. If I create a new service policy then that won't effect the global policy that is already in place will it?

Thanks!

The first suggested solution was suggested just by the mere fact that it's an option.

The configuration is based on the interfaces but it requires more configuration than the second option.

So, let's stick to the second one.

By default the ASA has this configuration:

Class-map inspection_default        

match default-inspection-traffic

It's applied globally and works for most of the traffic because it matches based on the protocol [L4]

Now, this option matches based on the IP address of the packet instead of the interface.

By using the Access-list and its "deny" statement we can exclude the ASA to match the traffic agains the inspection policies.

So basically, we can use a "deny" statement for all the traffic that comes from a specific interface and a "permit" to match the rest.

That's what the Access-list does.

Then the class-map will just be the link between the Access-list and the policy-map that is applied globally.

Hope it all made sense.

Well I already had the service policy created for the specific interface, I just hadn't applied it yet because I wasn't sure if it would mess with all the other interfaces (default global policy is still there).

In the second option you listed, I am confused about these commands:

Access-list inspection deny ip eq ftp

Access-list inspection permit ip any any

Will this disallow all traffic over port 21?

For the fist option you will have to apply a service-policy on both [incoming & outgoing] interfaces.

With the second option, using Access-lists,

Access-list inspection deny ip eq ftp

The "source IP" section represents the traffic you don't want to inspect.

The "dst IP" command represents the destination of the traffic you don't want to be inspected, it will normally be "any"

The "eq ftp" means that only the ftp traffic from these sources won't be inspected, the rest of the traffic will.

Finally, the Access-list inspection permit ip any any statement is making sure that the rest of traffic, including the one from other interfaces, will be matched against the policies and its traffic inspected.

Thanks for all the information. The customer I was going to do this for no longer needs it done, ftp and ftps is working for him now. I am sure I will have to refer to this information sometime in the future. Thanks again.

I spoke too soon. They still need it set up. I will give it a shot tomorrow and let you know how it goes. Just to make sure, running the "no match default-inspection-traffic" command will not have any effect on the default global policy that's already in place?

It won't have any negative effect, it will just remove that as matching parameter to use the Access-lists instead.

I understand, this poarticular customer doesn't have a list of source ip's that will be connecting to the server. Will this configuration work then:

Access-list inspection deny ip any "server ip" eq ftp

Access-list inspection permit ip any any

Great, looks like you get it now.

Yes, that setup will work too.

I ran into a bit of a problem, I created the access list, put the correct rules in but I got this error when i put in the "match access-list inspection" command:

"This match command is not allowed in a class-map that is associated to multiple inspect commands."

I ran the commands in the order you listed above and I got the error above. If I run the "match access-list inpection" first it accepts the command but then will not allow me to run the "no match default-inspection-traffic" command. It will give me this error:

"ERROR: Removing 'match default-inspection-traffic' is not allowed when class-map is being used for more than one 'inspect' command."

This is the output on the cli i am getting now:

class-map inspection_default

match access-list inspection

match default-inspection-traffic

Is this acceptable? Will all traffic use the access-list now instead of the default-inspection-traffic?

Thanks

If you leave it like that it will still match packets either based on  the protocol or the IP addresss. So it won't work for what we want.

We will need to copy the output of the "show run policy" command because we are going to remove the class-map that is associated with it and its inspection commands in order to be able to match the Access-list.

This is an example of what you will have to do:

1- Show run policy

output

-----------

policy-map global_policy

class inspection_default

  inspect icmp

  inspect http

  inspect ftp

2- policy-map global_policy

no class inspection_default

3-class inspection_default

match access-list inspection

4- policy-map global_policy

class inspection_default

  inspect icmp

  inspect http

  inspect ftp