Below are the steps to configure a Layer 7 inspection policy using MPF in Cisco ASA 8.4. Actually, it’s pretty much the same for all versions any way.
1. Create an ACL that matches the L3/L4 parameters of your traffic flow. This ACL will be used under a L3/L4 class-map.
access-list ftp_acl extended permit tcp any host 10.1.1.20 eq ftp log
Note: FTP access should also be permitted on the outside interface with a Static NAT
2. Create a L5-L7 policy-map. This policy-map defines the additional inspection parameters for a particular feature other than the default inspection parameters. In our example, FTP is the feature whose inspection parameters will be defined.
When an FTP client sends a command which matches any of the matched commands under ftp_policy, the connection will be reset.
policy-map type inspect ftp ftp_policy parameters match request-command appe put dele rmd reset
3. Create the Layer 3/4 class-map. This class-map applies the inspection only to the defined traffic flow in the ACL that is matched under this class map.
class-map ftp_class match access-list ftp_acl
4. Create the policy-map which takes the inspection action against the defined L3/L4 class-map and the L5/L7 policy-map.
policy-map outside_policy class ftp_class inspect ftp strict ftp_policy
5. Apply the policy map to the outside interface so that the inspection is applied to any source from the outside accessing the FTP server hosted behind the firewall.
service-policy outside_policy interface OUT
6. Below are the verification commands to verify if the inspection has been properly applied and is working as expected.
ASA-FW# show service-policy interface OUT Interface OUT: Service-policy: outside_policy Class-map: ftp_class Inspect: ftp strict ftp_policy, packet 185, drop 0, reset-drop 4 ASA-FW# show service-policy interface OUT inspect ftp Interface OUT: Service-policy: outside_policy Class-map: ftp_class Inspect: ftp strict ftp_policy, packet 185, drop 0, reset-drop 4 match request-command put dele rmd reset, packet 4
Below is a screen cap of what an FTP connection reset looks like on the client side;
Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/ccie