This is part 2 of the previous Advanced FTP inspection post. Here we’ll see how to configure advanced inspection for FTP to allow a certain user to access a particular directory on an FTP server using REGEX.
The requirement is to allow only the username ‘admin’ from Inside to access a directory named ‘confidential’ and a file named ‘accounts’ on an FTP server hosted in your DMZ.
1. Create an ACL that matches your traffic flow;
access-list ftp_traffic_acl permit tcp any host 10.1.1.20 eq 21
2. Create a L3/L4 class-map to match the traffic flow;
class-map ftp_traffic_class match access-list ftp_traffic_acl
3. Create the REGEX values for the username and directory;
regex ftp_user "admin" regex ftp_dir "\/confidential"
4. Create a L5/L7 class-map to match-all the values under it. The following class-map matches the directory AND any other username except admin.
class-map type inspect ftp match-all ftp_access_class match filename regex ftp_dir match not username regex ftp_user
5. Create a L5/L7 policy-map and call the L5/L7 class-map underneath it as a matching criteria. In combination with the above L5/L7 class-map this gives us exactly what we wanted. If any user except for ‘admin’, tries to access the ‘confidential’ directory on the FTP server, his connection is reset by the inspection engine of the ASA.
policy-map type inspect ftp ftp_access_policy parameters class ftp_access_class reset log
Note: You can apply a L5/L7 class-map only underneath a L5/L7 policy map.
6. Configure the L3/L4 policy map. Call the L3/L4 class-map as a matching criteria and inspect FTP using the above configured L5/L7 policy map.
policy-map inside_policy class ftp_traffic_class inspect ftp strict ftp_access_policy
Verification of the config:-
ASA-FW# show service-policy interface IN inspect ftp table Interface IN: Service-policy: inside_policy Class-map: ftp_traffic_class Inspect: ftp strict ftp_access_policy, packet 157, drop 0, reset-drop 1 Class-map: ftp_access_class Number of filters 2, action: reset log Filter id: 0, subid/is_regex: 0x0/0, value_type: VALUE_REGEX value: 21(0x15)/ftp_dir, value_high: 21(0x15) mask_match: NONE, mask_value: 0x0, negate: 0 Filter id: 4, subid/is_regex: 0x0/0, value_type: VALUE_REGEX value: 20(0x14)/ftp_user, value_high: 20(0x14) mask_match: NONE, mask_value: 0x0, negate: 1
Points to remember:-
1. While configuring REGEX, use \ if there are any special characters as a part of the REGEX string. Example: “\/confidential”
2. L5/L7 class-maps can only be used under L5-L7 policy maps.
3. Remember the different type of matches that can be done in a L3/L4 class-map. (ACL, port , any, tunnel-group).
4. Multiple match commands are not supported except for the ‘match tunnel-group or default-inspect-traffic under a L5/L7 class-map.
5. In a L5/L7 class-map, match-all is a Logical-AND operation. Match-any is a Logical-OR operation.
What-does-what and what-goes-where;
– L3/L4 class-map matches the traffic flow.
– L5/L7 class-map matches the FTP application traffic (request commands, username, server, filename, filetype).
– L5/L7 policy-map tells the inspection engine on the type of action to perform for the application traffic that matches the L5/L7 class-map.
– L3/L4 policy-map actions the L3/L4 class-map as directed in the L5/L7 policy-map.