29-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 29 Configuring Filtering Services
Filtering URLs and FTP Requests with an External Server
To enable HTTPS filtering, enter the following command:
Filtering FTP Requests
You must identify and enable the URL filtering server before enabling FTP filtering.
Note Websense and Secure Computing Smartfilter currently support FTP; older versions of Secure Computing
SmartFilter (formerly known as N2H2) did not support FTP filtering.
When the filtering server approves an FTP connection request, the ASA allows the successful FTP return
code to reach the originating client. For example, a successful return code is “250: CWD command
successful.” If the filtering server denies the request, the FTP return code is changed to show that the
connection was denied. For example, the ASA changes code 250 to “550 Requested file is prohibited by
URL filtering policy.”
To enable FTP filtering, enter the following command:
Command Purpose
filter https port[-port] localIP
local_mask foreign_IP foreign_mask [allow]
Example:
ciscoasa# filter https 443 0 0 0 0 0 0 0 0
allow
Enables HTTPS filtering.
Replaces port[-port] with a range of port numbers if a different port than
the default port for HTTPS (443) is used.
Replaces local_ip and local_mask with the IP address and subnet mask of
a user or subnetwork making requests.
Replaces foreign_ip and foreign_mask with the IP address and subnet mask
of a server or subnetwork responding to requests.
The allow option causes the ASA to forward HTTPS traffic without
filtering when the primary filtering server is unavailable.
Command Purpose
filter ftp port[-port] localIP local_mask
foreign_IP foreign_mask [allow]
[interact-block]
Example:
ciscoasa# filter ftp 21 0 0 0 0 0 0 0 0
allow
Enables FTP filtering.
Replaces port[-port] with a range of port numbers if a different port than
the default port for FTP (21) is used.
Replaces local_ip and local_mask with the IP address and subnet mask of
a user or subnetwork making requests.
Replaces foreign_ip and foreign_mask with the IP address and subnet mask
of a server or subnetwork responding to requests.
The allow option causes the ASA to forward HTTPS traffic without
filtering when the primary filtering server is unavailable.
Use the interact-block option to prevent interactive FTP sessions that do
not provide the entire directory path. An interactive FTP client allows you
to change directories without typing the entire path. For example, you
might enter cd ./files instead of cd /public/files.