I was reviewing the FTP Protocol Handling options of the ASA and it made me curious. One section of the SNPA book says they with the "Strict" option it does not allow embeded commands to be sent through a browser. It made me wonder, do people still use a web browser to FTP? Personally I use WSFTP or FireFTP on my Windows machine and CyberDuck on my Mac.

Well enough of that, so that you actually gain some sort of knowledge from this post I've decided to stick with some Modular Policy Framework today. The following config is related to FTP Protocol Inspection:

Start by making an FTP connection through the ASA. With default values it should work. You'll need to download a file to make sure that both the data channel and the control channel are working properly.

Next, create a policy-map type-inspect for FTP. THis is where you are going to specify that commands you want to deny. In this case we are going to say that the "get" command is not allowed. If the "get" is matched the action to be performed is a reset.

MyAsa(config)# policy-map type inspect ftp BLOCK_GET
MyAsa(config-pmap)# match request-command get
MyAsa(config-pmap-c)#reset
MyAsa(config-pmap-c)#exit
MyAsa(config-pmap)#exit

Next you want to apply the inspection policy map but you cant apply it all by itself. You have to apply it within a L3/L4 policy map. In the following configuration we are going to use the existing "global_policy" to apply out reset to FTP. You'll access the class inspection_default which is what the ASA uses to identify FTP traffic on TCP port 21. Use the "inspect" command to tell the ASA to inspect FTP, add the "strict" option and tie it to the policy-map type inspect that we created earlier.

MyAsa(config)# policy-map global_policy
MyAsa(config-pmap)# class inspection_default
MyAsa(config-pmap-c)# inspect ftp strict BLOCK_GET
MyAsa(config-pmap-c)# exit
MyAsa(config-pmap)# exit
MyAsa(config)#

The way that you test this is by dropping the previous FTP connection that you had up, and establish it again. The connection should establish. It looks like it works, but as soon as you try to grab something the FTP application you are using sends a "get" and the connection is reset. Use the following show command to verify.

MyAsa(config)# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default

<—-text omitted—–>

Inspect: ftp strict BLOCK_GET, packet 105, drop 0, reset- drop 12

Thats it for today. Don't forget to subscibe to this blog for more how-to's like this.