Advanced FTP Inspection – Part 2 | Using REGEX values (CCIE Notes)

This is part 2 of the previous Advanced FTP inspection post. Here we’ll see how to configure advanced inspection for FTP to allow a certain user to access a particular directory on an FTP server using REGEX.

The requirement is to allow only the username ‘admin’ from Inside to access a directory named ‘confidential’ and a file named ‘accounts’ on an FTP server hosted in your DMZ.

1. Create an ACL that matches your traffic flow;

access-list ftp_traffic_acl permit tcp any host eq 21

2. Create a L3/L4 class-map to match the traffic flow;

class-map ftp_traffic_class
 match access-list ftp_traffic_acl

3. Create the REGEX values for the username and directory;

regex ftp_user "admin"
regex ftp_dir "\/confidential"

4. Create a L5/L7 class-map to match-all the values under it. The following class-map matches the directory AND any other username except admin.

class-map type inspect ftp match-all ftp_access_class
 match filename regex ftp_dir
 match not username regex ftp_user

5. Create a L5/L7 policy-map and call the L5/L7 class-map underneath it as a matching criteria. In combination with the above L5/L7 class-map this gives us exactly what we wanted. If any user except for ‘admin’, tries to access the ‘confidential’ directory on the FTP server, his connection is reset by the inspection engine of the ASA.

policy-map type inspect ftp ftp_access_policy
 class ftp_access_class
  reset log

Note: You can apply a L5/L7 class-map only underneath a L5/L7 policy map.

6. Configure the L3/L4 policy map. Call the L3/L4 class-map as a matching criteria and inspect FTP using the above configured L5/L7 policy map.

policy-map inside_policy
 class ftp_traffic_class
  inspect ftp strict ftp_access_policy

Verification of the config:-

ASA-FW# show service-policy interface IN inspect ftp table

Interface IN:
 Service-policy: inside_policy
 Class-map: ftp_traffic_class
 Inspect: ftp strict ftp_access_policy, packet 157, drop 0, reset-drop 1
 Class-map: ftp_access_class
 Number of filters 2, action: reset log
 Filter id: 0, subid/is_regex: 0x0/0, value_type: VALUE_REGEX
 value: 21(0x15)/ftp_dir, value_high: 21(0x15)
 mask_match: NONE, mask_value: 0x0, negate: 0
 Filter id: 4, subid/is_regex: 0x0/0, value_type: VALUE_REGEX
 value: 20(0x14)/ftp_user, value_high: 20(0x14)
 mask_match: NONE, mask_value: 0x0, negate: 1

Points to remember:-

1. While configuring REGEX, use \ if there are any special characters as a part of the REGEX string. Example: “\/confidential”

2. L5/L7 class-maps can only be used under L5-L7 policy maps.

3. Remember the different type of matches that can be done in a L3/L4 class-map. (ACL, port , any, tunnel-group).

4. Multiple match commands are not supported except for the ‘match tunnel-group or default-inspect-traffic under a L5/L7 class-map.

5. In a L5/L7 class-map, match-all is a  Logical-AND operation. Match-any is a Logical-OR operation.

What-does-what and what-goes-where;

– L3/L4 class-map matches the traffic flow.
– L5/L7 class-map matches the FTP application traffic (request commands, username, server, filename, filetype).
– L5/L7 policy-map tells the inspection engine on the type of action to perform for the application traffic that matches the L5/L7 class-map.
– L3/L4 policy-map actions the L3/L4 class-map as directed in the L5/L7 policy-map.

Bookmark to follow my CCIE Security v4 journey ->


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s