Advanced FTP inspection – Part 1 (CCIE Notes)


Below are the steps to configure a Layer 7 inspection policy using MPF in Cisco ASA 8.4. Actually, it’s pretty much the same for all versions any way.

1. Create an ACL that matches the L3/L4 parameters of your traffic flow. This ACL will be used under a L3/L4 class-map.

access-list ftp_acl extended permit tcp any host 10.1.1.20 eq ftp log 

Note: FTP access should also be permitted on the outside interface with a Static NAT

2. Create a L5-L7 policy-map. This policy-map defines the additional inspection parameters for a particular feature other than the default inspection parameters. In our example, FTP is the feature whose inspection parameters will be defined.

When an FTP client sends a command which matches any of the matched commands under ftp_policy, the connection will be reset.

policy-map type inspect ftp ftp_policy
 parameters
 match request-command appe put dele rmd 
  reset

3. Create the Layer 3/4 class-map. This class-map applies the inspection only to the defined traffic flow in the ACL that is matched under this class map.

class-map ftp_class
 match access-list ftp_acl

4. Create the policy-map which takes the inspection action against the defined L3/L4 class-map and the L5/L7 policy-map.

policy-map outside_policy
 class ftp_class
  inspect ftp strict ftp_policy

5. Apply the policy map to the outside interface so that the inspection is applied to any source from the outside accessing the FTP server hosted behind the firewall.

service-policy outside_policy interface OUT

6. Below are the verification commands to verify if the inspection has been properly applied and is working as expected.

ASA-FW# show service-policy interface OUT

Interface OUT:
Service-policy: outside_policy
Class-map: ftp_class
Inspect: ftp strict ftp_policy, packet 185, drop 0, reset-drop 4
ASA-FW# show service-policy interface OUT inspect ftp

Interface OUT:
Service-policy: outside_policy
Class-map: ftp_class
Inspect: ftp strict ftp_policy, packet 185, drop 0, reset-drop 4
match request-command put dele rmd 
reset, packet 4

Below is a screen cap of what an FTP connection reset looks like on the client side;

FTP reset

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/ccie

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s