13-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
FTP Inspection
Step 2 Create an FTP inspection policy map:
hostname(config)# policy-map type inspect ftp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 3 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 4 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
• If you created an FTP class map, specify it by entering the following command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
• Specify traffic directly in the policy map using one of the match commands described for FTP
class maps. If you use a match not command, then any traffic that does not match the criterion
in the match not command has the action applied.
b. Specify the action you want to perform on the matching traffic by entering the following command:
hostname(config-pmap-c)# reset [log]
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or
client. Add the log keyword to send a system log message.
You can specify multiple class or match commands in the policy map. For information about the order
of class and match commands, see How Multiple Traffic Classes are Handled, page 12-4.
Step 5 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b. Set one or more parameters. You can set the following options; use the no form of the command to
disable the option:
• mask-banner—Masks the greeting banner from the FTP server.
• mask-syst-reply—Masks the reply to syst command.
Example
Before submitting a username and password, all FTP users are presented with a greeting banner. By
default, this banner includes version information useful to hackers trying to identify weaknesses in a
system. The following example shows how to mask this banner:
hostname(config)# policy-map type inspect ftp mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# mask-banner
hostname(config)# class-map match-all ftp-traffic
hostname(config-cmap)# match port tcp eq ftp
hostname(config)# policy-map ftp-policy
hostname(config-pmap)# class ftp-traffic
To Next Page
Loading...
Need help?
General
