Issue:
FTP traffic destined to the FTP server should not be able to execute the following commands:
- Put
- Rmd
- Rnfr
- dele
Resolution:
To achieve the desired result following configuration is required using MPF
1. Create a new policy map type with match-request as desired commands and action as reset.
Policy-map type inspect FTP FTPCommands
Match-request command put rmd rnfr dele
Reset
2. Configure a TCP based access-list with source as any and destination as FTP Server with port number 21.
access-list FTP-S permit tcp any host 192.1.22.221 eq 21
3. Now create a new class-map and call the access-list that was configured in step 2
class-map FTP-S
match access-list FTP-S
4. Final step is to call the class-map in global policy for inspection with "strict" option.
policy-map global_policy
class FTP-S
inspect FTP strict FTPCommands
Assuming that Service policy is already assigned globally, FTP commands will be blocked by ASA now.