43-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter43 Configuring Inspection of Basic Internet Protocol s
FTP Inspection
Service-policy: sample_policy
Class-map: dns_port
Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0
FTP Inspection
This section describes the FTP inspection engine. This section includes the following topics:
FTP Inspection Overview, page43-11
Using the strict Option, page 43-11
Configuring an FTP Inspection Policy Map for Additional Inspection Control, page43-12
Verifying and Monitoring FTP Inspection, page43-16

FTP Inspection Overview

The FTP application inspection inspects the FTP sessions and performs four tasks:
Prepares dynamic secondary data connection
Tracks the FTP command-response sequence
Generates an audit trail
Translates the embedded IP address
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.
Note If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
connections only in passive mode, and all inbound FTP is disabled.

Using the strict Option

Using the strict option with the inspect ftp command increases the security of protected networks by
preventing web browsers from sending embedded commands in FTP requests.
Note To specify FTP commands that are not permitted to pass through the ASA, create an FTP map according
to the “Configuring an FTP Inspection Policy Map for Additional Inspection Control” section on
page 43-12.
After you enable the strict option on an interface, FTP inspection enforces the following behavior:
An FTP command must be acknowledged before the ASA allows a new command.
The ASA drops connections that send embedded commands.
The 227 and PORT commands are checked to ensure they do not appear in an error string.