Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
0
Helpful
7
Replies

FTP?

Go to solution
abhi-adte
Level 1
Level 1

‎01-07-2011 09:09 AM - edited ‎03-11-2019 12:31 PM

hi,

I want to know if I have FTP Server and I want to configure something on firewall or Routers so Client or user have only read-only access to FTP server or user can not upload or download the data from FTP server??

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to abhi-adte

‎01-12-2011 06:09 AM

Abhinay,

If you want the users to have only read-only permission on the ftp server then, this needs to be done on the ftp server. Firewall has no knowledge of whether you have read-only, full-control, change or write permission to a folder. All it knows is IP address and ports. If the acl allows it it will allow the connection.

Unless you are talking about strict ftp inspection where you can block certain ftp commands like mkdir, put can be dropped and reset when sent via ftp protocol via MPF (modular policy framework)

-KS

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-12-2011 06:12 AM

Exactly.

What I'm saying is that an ''advanced'' Layer 7 Policy Map for FTP could include more detailed restrictions (application access) as to specify read-only or write-access, which commands are allowed, etc... (definitely not with an ACL).

You can check this here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1810407

Federico.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-07-2011 09:24 AM

Hi,

The ASA can be configured with an FTP map to provide application inspection and instruct the ASA to allow only certain type of commands, and other restrictions.

This is creating a Layer 7 Policy MAP and class MAP for FTP.

Federico.

0 Helpful

Go to solution
abhi-adte
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-09-2011 02:17 PM

You are talking abt the FPM or MPF..??    

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to abhi-adte

‎01-09-2011 04:15 PM

Well...

FPM is on IOS and MPF is either on IOS or ASAs.

Federico.

0 Helpful

Go to solution
abhi-adte
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-12-2011 05:51 AM

this is ok and good; but some one told me it can done via ACL so I tried but its not done from me if u get some thing about it pls share with me...

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to abhi-adte

‎01-12-2011 06:09 AM

Abhinay,

If you want the users to have only read-only permission on the ftp server then, this needs to be done on the ftp server. Firewall has no knowledge of whether you have read-only, full-control, change or write permission to a folder. All it knows is IP address and ports. If the acl allows it it will allow the connection.

Unless you are talking about strict ftp inspection where you can block certain ftp commands like mkdir, put can be dropped and reset when sent via ftp protocol via MPF (modular policy framework)

-KS

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-12-2011 06:12 AM

Exactly.

What I'm saying is that an ''advanced'' Layer 7 Policy Map for FTP could include more detailed restrictions (application access) as to specify read-only or write-access, which commands are allowed, etc... (definitely not with an ACL).

You can check this here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1810407

Federico.

0 Helpful

Go to solution
abhi-adte
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-12-2011 06:50 AM

Thanks to all...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card