Filter
Top Products
10-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
FTP Inspection
d. (Optional) To match a file type for FTP transfer, enter the following command:
ciscoasa(config-cmap)# match [not] filetype regex [regex_name |
class regex_class_name]
Where the regex_name is the regular expression you created in Step 1. The class regex_class_name
is the regular expression class map you created in Step 2.
e. (Optional) To disallow specific FTP commands, use the following command:
ciscoasa(config-cmap)# match [not] request-command ftp_command [ftp_command...]
Where ftp_command with one or more FTP commands that you want to restrict. See Table 10-1 for
a list of the FTP commands that you can restrict.
.
f. (Optional) To match an FTP server, enter the following command:
ciscoasa(config-cmap)# match [not] server regex [regex_name | class regex_class_name]
Where the regex_name is the regular expression you created in Step 1. The class regex_class_name
is the regular expression class map you created in Step 2.
g. (Optional) To match an FTP username, enter the following command:
ciscoasa(config-cmap)# match [not] username regex [regex_name |
class regex_class_name]
Where the regex_name is the regular expression you created in Step 1. The class regex_class_name
is the regular expression class map you created in Step 2.
Step 4 Create an FTP inspection policy map, enter the following command:
ciscoasa(config)# policy-map type inspect ftp policy_map_name
ciscoasa(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Table 10-1 FTP Map request-command deny Options
request-command deny Option Purpose
appe Disallows the command that appends to a file.
cdup Disallows the command that changes to the parent directory of the
current working directory.
dele Disallows the command that deletes a file on the server.
get Disallows the client command for retrieving a file from the server.
help Disallows the command that provides help information.
mkd Disallows the command that makes a directory on the server.
put Disallows the client command for sending a file to the server.
rmd Disallows the command that deletes a directory on the server.
rnfr Disallows the command that specifies rename-from filename.
rnto Disallows the command that specifies rename-to filename.
site Disallows the command that are specific to the server system.
Usually used for remote administration.
stou Disallows the command that stores a file using a unique file name.