Filtering ftp requests – Cisco ASA 5505 User Manual

Page 810

Advertising
background image

39-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 39 Configuring Filtering Services

Filtering URLs and FTP Requests with an External Server

To enable HTTPS filtering, enter the following command:

Filtering FTP Requests

You must identify and enable the URL filtering server before enabling FTP filtering.

Note

Websense and Secure Computing Smartfilter currently support FTP; older versions of Secure Computing
SmartFilter (formerly known as N2H2) did not support FTP filtering.

When the filtering server approves an FTP connection request, the ASA allows the successful FTP return
code to reach the originating client. For example, a successful return code is “250: CWD command
successful.” If the filtering server denies the request, the FTP return code is changed to show that the
connection was denied. For example, the ASA changes code 250 to “550 Requested file is prohibited by
URL filtering policy.”

To enable FTP filtering, enter the following command:

Command

Purpose

filter https

port[-port] localIP

local_mask foreign_IP foreign_mask [allow]

Example:

hostname# filter https 443 0 0 0 0 0 0 0 0

allow

Enables HTTPS filtering.

Replaces port[-port] with a range of port numbers if a different port than
the default port for HTTPS (443) is used.

Replaces local_ip and local_mask with the IP address and subnet mask of
a user or subnetwork making requests.

Replaces foreign_ip and foreign_mask with the IP address and subnet mask
of a server or subnetwork responding to requests.

The allow option causes the ASA to forward HTTPS traffic without
filtering when the primary filtering server is unavailable.

Command

Purpose

filter

ftp port[-port] localIP local_mask

foreign_IP foreign_mask [allow]

[interact-block]

Example:

hostname# filter ftp 21 0 0 0 0 0 0 0 0

allow

Enables FTP filtering.

Replaces port[-port] with a range of port numbers if a different port than
the default port for FTP (21) is used.

Replaces local_ip and local_mask with the IP address and subnet mask of
a user or subnetwork making requests.

Replaces foreign_ip and foreign_mask with the IP address and subnet mask
of a server or subnetwork responding to requests.

The allow option causes the ASA to forward HTTPS traffic without
filtering when the primary filtering server is unavailable.

Use the interact-block option to prevent interactive FTP sessions that do
not provide the entire directory path. An interactive FTP client allows you
to change directories without typing the entire path. For example, you
might enter cd ./files instead of cd /public/files.

Advertising