Table 43-1 – Cisco ASA 5505 User Manual

43-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

FTP Inspection

.

f.

(Optional) To match an FTP server, enter the following command:

hostname(config-cmap)# match [not] server regex [regex_name | class regex_class_name]

Where the regex_name is the regular expression you created in

Step 1

. The class regex_class_name

is the regular expression class map you created in

Step 2

.

g.

(Optional) To match an FTP username, enter the following command:

hostname(config-cmap)# match [not] username regex [regex_name |

class

regex_class_name]

Where the regex_name is the regular expression you created in

Step 1

. The class regex_class_name

is the regular expression class map you created in

Step 2

.

h.

(Optional) To match active FTP traffic commands PORT and EPRT, enter the following command:

hostname(config-cmap)# match [not] active-ftp

i.

(Optional) To match passive FTP traffic commands PASV and EPSV, enter the following command:

hostname(config-cmap)# match [not] passive-ftp

Step 4

Create an FTP inspection policy map, enter the following command:

hostname(config)# policy-map type inspect ftp policy_map_name

hostname(config-pmap)#

Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.

Step 5

(Optional) To add a description to the policy map, enter the following command:

hostname(config-pmap)# description string

Step 6

To apply actions to matching traffic, perform the following steps.

a.

Specify the traffic on which you want to perform actions using one of the following methods:

Table 43-1

FTP Map request-command deny Options

request-command deny Option

Purpose

appe

Disallows the command that appends to a file.

cdup

Disallows the command that changes to the parent directory of the
current working directory.

dele

Disallows the command that deletes a file on the server.

get

Disallows the client command for retrieving a file from the server.

help

Disallows the command that provides help information.

mkd

Disallows the command that makes a directory on the server.

put

Disallows the client command for sending a file to the server.

rmd

Disallows the command that deletes a directory on the server.

rnfr

Disallows the command that specifies rename-from filename.

rnto

Disallows the command that specifies rename-to filename.

site

Disallows the command that are specific to the server system.
Usually used for remote administration.

stou

Disallows the command that stores a file using a unique file name.