Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

How to deny certain commands destined to FTP server using ASA.

Labels:
938
Views
0
Helpful
0
Comments
Parminder Sian
Beginner
‎04-18-2011 12:52 AM
edited on: ‎03-08-2019 ‎06:40 PM

Issue:


FTP traffic destined to the FTP server should not be able to execute the following commands:

  1. Put
  2. Rmd
  3. Rnfr
  4. dele


Resolution:


To achieve the desired result following configuration is required using MPF


1. Create a new policy map type with match-request as desired commands and action as reset.


Policy-map type inspect FTP FTPCommands
  Match-request command put rmd rnfr dele
     Reset


2. Configure a TCP based access-list with source as any and destination as FTP Server with port number 21.


access-list FTP-S permit tcp any host 192.1.22.221 eq 21


3. Now create a new class-map and call the access-list that was configured in step 2


class-map FTP-S
match access-list FTP-S


4. Final step is to call the class-map in global policy for inspection with "strict" option.


policy-map global_policy
class FTP-S
   inspect FTP strict FTPCommands


Assuming that Service policy is already assigned globally, FTP commands will be blocked by ASA now.

0 Helpful
Latest Contents
cisco AMP4E on Centos
Created by akash.tiwari on 07-06-2020 12:26 PM
1
0
1
0
hi Marvin/team, I will be implementing an AMP4E solution for the centos server.I need to know what kind of prerequisites from the customer end.is there any kind of port that needs to be open on the running Firewall?can you provide a stepwis... view more
HAT vs Incoming mail policy
Created by bgd_nikola on 07-06-2020 11:42 AM
0
0
0
0
If we whitelist sender/domain/IP Address in the HAT and also in the Incoming mail policy, how mail will be processed ?What will take precedence ?
UDP Constant IP Identification Field Fingerprinting Vulnerab...
Created by royerbalaguera on 07-06-2020 11:19 AM
0
0
0
0
Hi, I have a WS-C3650-48PS IOS 03.07.04E cat3k_caa-universalk9. The following appears in a network security report: The host transmits UDP packets with a constant IP Identification field. This behavior may be exploited to discover the opera... view more
Is Snort inspection bidirectional regardless of ACP rule dir...
Created by Larry Sullivan on 07-06-2020 10:33 AM
2
0
2
0
Hi, Say an ACP rule allows a LAN IP from inside to out and has inspection turned on.  Does Snort only inspect the outgoing packets or does it also inspect the return established traffic?  Thanks.
Cisco AnyConnect - slow file transfer
Created by a.davis on 07-06-2020 09:46 AM
1
0
1
0
Hi, I have a Cisco ASA 5516-X with AnyConnect Premium. My home network is around 120 Mbps download and 20 Mbps upload and in the office we have a 200 Mbps leased line but whenever I download or upload a file to the server my transfer speed tends to b... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels