Aim:
To deny FTP upload but at the sametime allow download.
Topology:
Configuration:
Create a class-map of inspect ftp type:
ASA-5510-8x(config)# class-map type inspect ftp match-all FTP_CLASS
ASA-5510-8x(config-cmap)# match request-command put
ASA-5510-8x(config-cmap)# exit
Create a policy-map of ftp type and call the above class in it, set the action to reset and log the packet(optional):
ASA-5510-8x(config)# policy-map type inspect ftp FTP_POLICY
ASA-5510-8x(config-pmap)# class FTP_CLASS
ASA-5510-8x(config-pmap-c)# reset log
ASA-5510-8x(config-pmap-c)# exit
ASA-5510-8x(config-pmap)# exit
Create a normal policy-map and call the default inspection class, class the above policy-map of ftp type and apply the inspection for ftp with strict option
ASA-5510-8x(config)# policy-map FTP_POLICY_1
ASA-5510-8x(config-pmap)# class inspection_default
ASA-5510-8x(config-pmap-c)# inspect ftp strict FTP_POLICY
ASA-5510-8x(config-pmap-c)# exit
ASA-5510-8x(config-pmap)# exit
Now, apply the policy on inside interface:
ASA-5510-8x(config)# service-policy FTP_POLICY_1 interface inside
Introduction to Cisco ASA: