Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1203
Views
0
Helpful
0
Comments

How to deny certain commands destined to FTP server using ASA.

Parminder Sian
Level 1
Level 1

‎04-18-2011 12:52 AM - edited ‎03-08-2019 06:40 PM

Issue:


FTP traffic destined to the FTP server should not be able to execute the following commands:

  1. Put
  2. Rmd
  3. Rnfr
  4. dele


Resolution:


To achieve the desired result following configuration is required using MPF


1. Create a new policy map type with match-request as desired commands and action as reset.


Policy-map type inspect FTP FTPCommands
  Match-request command put rmd rnfr dele
     Reset


2. Configure a TCP based access-list with source as any and destination as FTP Server with port number 21.


access-list FTP-S permit tcp any host 192.1.22.221 eq 21


3. Now create a new class-map and call the access-list that was configured in step 2


class-map FTP-S
match access-list FTP-S


4. Final step is to call the class-map in global policy for inspection with "strict" option.


policy-map global_policy
class FTP-S
   inspect FTP strict FTPCommands


Assuming that Service policy is already assigned globally, FTP commands will be blocked by ASA now.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents