43-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter43 Configuring Inspection of Basic Internet Protocols
FTP Inspection
.
f. (Optional) To match an FTP server, enter the following command:
hostname(config-cmap)# match [not] server regex [regex_name | class regex_class_name]
Where the regex_name is the regular expression you created in Step1. The class regex_class_name
is the regular expression class map you created in Step 2.
g. (Optional) To match an FTP username, enter the following command:
hostname(config-cmap)# match [not] username regex [regex_name |
class regex_class_name]
Where the regex_name is the regular expression you created in Step1. The class regex_class_name
is the regular expression class map you created in Step 2.
h. (Optional) To match active FTP traffic commands PORT and EPRT, enter the following command:
hostname(config-cmap)# match [not] active-ftp
i. (Optional) To match passive FTP traffic commands PASV and EPSV, enter the following command:
hostname(config-cmap)# match [not] passive-ftp
Step4 Create an FTP inspection policy map, enter the following command:
hostname(config)# policy-map type inspect ftp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step5 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step6 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
Table43-1 FTP Map request-command deny Options
request-command deny Option Purpose
appe Disallows the command that appends to a file.
cdup Disallows the command that changes to the parent directory of the
current working directory.
dele Disallows the command that deletes a file on the server.
get Disallows the client command for retrieving a file from the server.
help Disallows the command that provides help information.
mkd Disallows the command that makes a directory on the server.
put Disallows the client command for sending a file to the server.
rmd Disallows the command that deletes a directory on the server.
rnfr Disallows the command that specifies rename-from filename.
rnto Disallows the command that specifies rename-to filename.
site Disallows the command that are specific to the server system.
Usually used for remote administration.
stou Disallows the command that stores a file using a unique file name.