Configuring Ftp Inspection - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
FTP Inspection
Table 22-3
request-command deny Option
rmd
rnfr
rnto
site
stou
Configuring FTP Inspection
FTP application inspection is enabled default, so you only need to perform the procedures in this section
if you want to change the default FTP configuration, in any of the following ways:
•
•
•
To configure FTP inspection, perform the following steps:
Determine the ports to which FTP servers behind your FWSM listen. The default FTP port is TCP port
Step 1
21; however, alternate ports are often used as a simple means to thwart attacks. To ensure that all FTP
traffic is inspected, check your FTP servers for use of ports other than TCP port 21.
Create a class map or modify an existing class map to identify FTP traffic. Use the class-map command
Step 2
to do so, as follows.
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Identify traffic sent to the FTP ports you determined in
Step 3
access-list command.
If you need to identify two or more non-contiguous ports, create an access list with the access-list
extended command, add an ACE to match each port, and then use the match access-list command. The
following commands show how to use an access list to identify multiple TCP ports with an access list.
hostname(config)# access-list acl-name any any tcp eq port_number_1
hostname(config)# access-list acl-name any any tcp eq port_number_2
hostname(config)# class-map class_map_name
hostname(config-cmap)# match access-list acl-name
If you need to identify a single port, use the match port command, as follows:
hostname(config-cmap)# match port tcp port_number
where port_number is the only TCP port listened to by FTP servers behind the FWSM.
If you need to identify a range of contiguous ports for a single protocol, use match port command with
the range keyword, as follows:
hostname(config-cmap)# match port tcp range begin_port_number end_port_number
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-32
FTP Map request-command deny Options (continued)
Enable the strict option.
Identify specific FTP commands that are not permitted to pass through the FWSM.
Change the default port number.
Chapter 22
Purpose
Disallows the command that deletes a directory on the server.
Disallows the command that specifies rename-from filename.
Disallows the command that specifies rename-to filename.
Disallows the command that are specific to the server system.
Usually used for remote administration.
Disallows the command that stores a file using a unique filename.
Step
1. To do so, use a match port or match
Applying Application Layer Protocol Inspection
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
