43-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter43 Configuring Inspection of Basic Internet Protocols
FTP Inspection
Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP
RFCs.
If the strict option is enabled, each FTP command and response sequence is tracked for the following
anomalous activity:
Truncated command—Number of commas in the PORT and PASV reply command is checked to see
if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP
connection is closed.
Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as
required by the RFC. If it does not, the connection is closed.
Size of RETR and STOR commands—These are checked against a fixed constant. If the size is
greater, then an error message is logged and the connection is closed.
Command spoofing—The PORT command should always be sent from the client. The TCP
connection is denied if a PORT command is sent from the server.
Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP
connection is denied if a PASV reply command is sent from the client. This prevents the security
hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
TCP stream editing—The ASA closes the connection if it detects TCP stream editing.
Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024.
As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the
negotiated port falls in this range, then the TCP connection is freed.
Command pipelining—The number of characters present after the port numbers in the PORT and
PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP
connection is closed.
The ASA replaces the FTP server response to the SYST command with a series of Xs. to prevent the
server from revealing its system type to FTP clients. To override this default behavior, use the no
mask-syst-reply command in the FTP map.
Configuring an FTP Inspection Policy Map for Additional Inspection Control
FTP command filtering and security checks are provided using strict FTP inspection for improved
security and control. Protocol conformance includes packet length checks, delimiters and packet format
checks, command terminator checks, and command validation.
Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for
download, but restrict access to certain users. You can block FTP connections based on file type, server
name, and other attributes. System message logs are generated if an FTP connection is denied after
inspection.
If you want FTP inspection to allow FTP servers to reveal their system type to FTP clients, and limit the
allowed FTP commands, then create and configure an FTP map. You can then apply the FTP map when
you enable FTP inspection.
To create an FTP map, perform the following steps:
Step1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the
“Creating a Regular Expression” section on page 13-12. See the types of text you can match in the match
commands described in Step3.