10-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter10 Configuring Inspection of Basic Internet Protocols
FTP Inspection
Configuring an FTP Inspection Policy Map for Additional Inspection Control
FTP command filtering and security checks are provided using strict FTP inspection for improved
security and control. Protocol conformance includes packet length checks, delimiters and packet format
checks, command terminator checks, and command validation.
Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for
download, but restrict access to certain users. You can block FTP connections based on file type, server
name, and other attributes. System message logs are generated if an FTP connection is denied after
inspection.
If you want FTP inspection to allow FTP servers to reveal their system type to FTP clients, and limit the
allowed FTP commands, then create and configure an FTP map. You can then apply the FTP map when
you enable FTP inspection.
To create an FTP map, perform the following steps:
Step1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the
general operations configuration guide. See the types of text you can match in the match commands
described in Step 3.
Step2 (Optional) Create one or more regular expression class maps to group regular expressions according to
the general operations configuration guide.
Step3 (Optional) Create an FTP inspection class map by performing the following steps.
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map. You can alternatively identify match commands directly in the policy map. The difference
between creating a class map and defining the traffic match directly in the inspection policy map is that
the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string “example.com,” then any traffic that includes “example.com”
does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection,
reset, mask, set the rate limit, and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly
in the policy map.
a. Create the class map by entering the following command:
ciscoasa(config)# class-map type inspect ftp [match-all | match-any] class_map_name
ciscoasa(config-cmap)#
Where class_map_name is the name of the class map. The match-all keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword
specifies that the traffic matches the class map if it matches at least one of the criteria. The CLI
enters class-map configuration mode, where you can enter one or more match commands.
b. (Optional) To add a description to the class map, enter the following command:
ciscoasa(config-cmap)# description string
c. (Optional) To match a filename for FTP transfer, enter the following command:
ciscoasa(config-cmap)# match [not] filename regex [regex_name |
class regex_class_name]
Where the regex_name is the regular expression you created in Step1. The class regex_class_name
is the regular expression class map you created in Step 2.