Verifying And Monitoring Ftp Inspection - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
FTP Inspection
•
•
Step 8
Use the service-policy command to apply the policy map globally or to a specific interface, as follows:
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID]
hostname(config)#
where policy_map_name is the policy map you configured in
to traffic on all the interfaces, use the global option. If you want to apply the policy map to traffic on a
specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the
interface with the nameif command.
The FWSM begins inspecting FTP traffic, as specified.
The following example shows how to identify FTP traffic, define a FTP map, define a policy, and apply
the policy to the outside interface.
Example 22-5 Enabling and Configuring Strict FTP Inspection
hostname(config)# class-map ftp_port
hostname(config-cmap)# match port tcp eq 21
hostname(config-cmap)# ftp-map sample_map
hostname(config-ftp-map)# request-command deny put stou appe
hostname(config-ftp-map)# policy-map sample_policy
hostname(config-pmap)# class ftp_port
hostname(config-pmap-c)# inspect ftp strict sample_map
hostname(config-pmap-c)# service-policy sample_policy interface outside
Verifying and Monitoring FTP Inspection
FTP application inspection generates the following log messages:
•
•
•
•
•
In conjunction with NAT, the FTP application inspection translates the IP address within the application
payload. This is described in detail in RFC 959.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-34
If you want to enable strict FTP inspection with an optional FTP map you may have configured in
Step
4, use the inspect ftp command with the strict keyword and the FTP map name, as follows:
hostname(config-pmap-c)# inspect ftp strict ftp_map_name
If you want to revert to default FTP inspection, use the inspect ftp command with no keywords, as
follows:
hostname(config-pmap-c)# inspect ftp
An Audit record 302002 is generated for each file that is retrieved or uploaded.
The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands
are logged.
The username is obtained by looking up a table providing the IP address.
The username, source IP address, destination IP address, NAT address, and the file operation are
logged.
Audit record 201005 is generated if the secondary dynamic channel preparation failed due to
memory shortage.
Chapter 22
Applying Application Layer Protocol Inspection
Step
5. If you want to apply the policy map
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
