13-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
FTP Inspection
• Command pipelining—The number of characters present after the port numbers in the PORT and
PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP
connection is closed.
• The ASA replaces the FTP server response to the SYST command with a series of Xs. to prevent the
server from revealing its system type to FTP clients. To override this default behavior, use the no
mask-syst-reply command in the FTP map.
Configure FTP Inspection
FTP inspection is enabled by default. You need to configure it only if you want non-default processing.
If you want to customize FTP inspection, use the following process.
Procedure
Step 1 Configure an FTP Inspection Policy Map, page 13-10.
Step 2 Configure the FTP Inspection Service Policy, page 13-13.
Configure an FTP Inspection Policy Map
FTP command filtering and security checks are provided using strict FTP inspection for improved
security and control. Protocol conformance includes packet length checks, delimiters and packet format
checks, command terminator checks, and command validation.
Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for
download, but restrict access to certain users. You can block FTP connections based on file type, server
name, and other attributes. System message logs are generated if an FTP connection is denied after
inspection.
If you want FTP inspection to allow FTP servers to reveal their system type to FTP clients, and limit the
allowed FTP commands, then create and configure an FTP inspection policy map. You can then apply
the map when you enable FTP inspection.
Before You Begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one
of those techniques, first create the regular expression or regular expression class map.
Procedure
Step 1 (Optional) Create an FTP inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify match commands directly in
the policy map. The difference between creating a class map and defining the traffic match directly in
the inspection policy map is that the class map lets you create more complex match criteria, and you can
reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string “example.com,” then any traffic that includes “example.com”
does not match the class map.
To Next Page
Loading...
