cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1203
Views
0
Helpful
0
Comments
Parminder Sian
Level 1
Level 1

Issue:


FTP traffic destined to the FTP server should not be able to execute the following commands:

  1. Put
  2. Rmd
  3. Rnfr
  4. dele


Resolution:


To achieve the desired result following configuration is required using MPF


1. Create a new policy map type with match-request as desired commands and action as reset.


Policy-map type inspect FTP FTPCommands
  Match-request command put rmd rnfr dele
     Reset


2. Configure a TCP based access-list with source as any and destination as FTP Server with port number 21.


access-list FTP-S permit tcp any host 192.1.22.221 eq 21


3. Now create a new class-map and call the access-list that was configured in step 2


class-map FTP-S
match access-list FTP-S


4. Final step is to call the class-map in global policy for inspection with "strict" option.


policy-map global_policy
class FTP-S
   inspect FTP strict FTPCommands


Assuming that Service policy is already assigned globally, FTP commands will be blocked by ASA now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: