Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1294
Views
0
Helpful
3
Replies

How to achieve traffic policing against passive-mode FTP using ASA5500?

Go to solution
jgonzalez79
Level 1
Level 1

‎08-16-2011 09:27 AM - edited ‎03-11-2019 02:12 PM

Hi,

I'm experimenting with policing FTP traffic from outside interface to inside ftp clients on an ASA5510. I am able to police active-ftp connections by using ACLs which monitor port 20 & 21 and then using MPF. This is easy enough. Passive-ftp is proving to not be as easy to police. On this post the solution was to hard code the passive ports used in the ftp client: https://supportforums.cisco.com/message/862329#862329. I would rather not use this approach as it won’t be known who will be doing transfers at any one time.

On the ASA5500 series is there a way to achieve passive-ftp policing "dynamically"?

Thanks

Joel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎08-16-2011 11:05 AM

Hi Joel,

There is no feature in ASA, which can automatically police the dynamically changing ports in passive FTP, however just a few tweaks like:

++ Either apply policing on the entire ip range

++ Or you can match the entire port range to police:

hostname(config)# class-map FTP-DATA
hostname(config-cmap)# match port tcp range 1024 65535

You can also tie the ports if you have settings on your FTP server to
restrict the port usage to a certain pool. If you can do that, then you can
apply policing to those certain ports only.



Otherwise there are no other options to do it.

Hope this helps,

Thanks,
Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
3 Replies 3

Go to solution
varrao
Level 10
Level 10

‎08-16-2011 11:05 AM

Hi Joel,

There is no feature in ASA, which can automatically police the dynamically changing ports in passive FTP, however just a few tweaks like:

++ Either apply policing on the entire ip range

++ Or you can match the entire port range to police:

hostname(config)# class-map FTP-DATA
hostname(config-cmap)# match port tcp range 1024 65535

You can also tie the ports if you have settings on your FTP server to
restrict the port usage to a certain pool. If you can do that, then you can
apply policing to those certain ports only.



Otherwise there are no other options to do it.

Hope this helps,

Thanks,
Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
jgonzalez79
Level 1
Level 1
In response to varrao

‎08-16-2011 11:28 AM

Hi Varun,

Thank you for the speedy reply. At least now I know I'm not blind as I've been looking all over for an answer to this question!

Joel

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to jgonzalez79

‎08-16-2011 11:31 AM

Great I was able to answer your query

-Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card