Ftp inspection, Ftp inspection overview, Using the strict option – Cisco ASA 5505 User Manual

Page 887: Using the

Advertising
background image

43-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

FTP Inspection

Service-policy: sample_policy

Class-map: dns_port

Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0

FTP Inspection

This section describes the FTP inspection engine. This section includes the following topics:

FTP Inspection Overview, page 43-11

Using the strict Option, page 43-11

Configuring an FTP Inspection Policy Map for Additional Inspection Control, page 43-12

Verifying and Monitoring FTP Inspection, page 43-16

FTP Inspection Overview

The FTP application inspection inspects the FTP sessions and performs four tasks:

Prepares dynamic secondary data connection

Tracks the FTP command-response sequence

Generates an audit trail

Translates the embedded IP address

FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.

Note

If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
connections only in passive mode, and all inbound FTP is disabled.

Using the strict Option

Using the strict option with the inspect ftp command increases the security of protected networks by
preventing web browsers from sending embedded commands in FTP requests.

Note

To specify FTP commands that are not permitted to pass through the ASA, create an FTP map according
to the

“Configuring an FTP Inspection Policy Map for Additional Inspection Control” section on

page 43-12

.

After you enable the strict option on an interface, FTP inspection enforces the following behavior:

An FTP command must be acknowledged before the ASA allows a new command.

The ASA drops connections that send embedded commands.

The 227 and PORT commands are checked to ensure they do not appear in an error string.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals