Issue:
How to restrict FTP commands to allow downloads from certain ftp servers. Default ftp inspection allows all ftp commands and allows all downloads/uploads. If you would like to restrict downloads or uploads to and from certain ftp servers, please refer to following sample configuration.
Solution:
1. Create an access-list to specify list of IPs where FTP updates are okay:
access-list Test_FTP permit tcp any host 10.1.1.1 eq 21
access-list Test_FTP permit tcp any host 10.1.1.2 eq 21
access-list Test_FTP permit tcp any host 10.1.1.3 eq 21
2. Create a class-map matching the above access-list
class-map Test_FTP
match access-list Test_FTP
3. Create a class-map to inspect ftp commands
class-map type inspect ftp match-any FTP-deny-updates
match request-command get
The example only showing ‘get’ command however you can match any ftp commands in the above class-map.
3. Create a matching inspect policy-map to match the above inspect class-map
policy-map type inspect ftp FTP-deny-updates
parameters
class FTP-deny-updates
reset log
4. Create a separate interface policy to apply default inspection to allow all FTP commands.
policy-map interface-policy
class Test_FTP
inspect ftp
Default FTP inspection will be applied to the matching traffic in access-list created in step # 1 therefore all ftp commands will be allowed.
5. Non matching traffic in step 4 will be applied global default inspection policy with strict FTP inspecton restricting FTP command Get,
policy-map global_policy
class inspection-default
inspect ftp strict FTP-deny-updates
6. Apply the policies to the interfaces,
service-policy interface_policy interface inside
service-policy global_policy interface global
Conclusion:
The above configuration will allow FTP downloads from the servers matching in interface policy and will restrict all other FTP downloads matching in the global policy.