Cisco PIX 500 Series Configuration Manual page 494
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
FTP Inspection
Specify the action you want to perform on the matching traffic by entering the following command:
b.
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate }
Not all options are available for each match or class command. See the CLI help or the Cisco
Security Appliance Command Reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server
and/or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log
message.
The rate-limit message_rate argument limits the rate of messages.
You can specify multiple class or match commands in the policy map. For information about the order
of class and match commands, see the
page
To configure parameters that affect the inspection engine, perform the following steps:
Step 7
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b.
To mask the greeting banner from the FTP server, enter the following command:
hostname(config-pmap-p)# mask-banner
To mask the reply to syst command, enter the following command:
c.
hostname(config-pmap-p)# mask-syst-reply
Before submitting a username and password, all FTP users are presented with a greeting banner. By
default, this banner includes version information useful to hackers trying to identify weaknesses in a
system. The following example shows how to mask this banner:
hostname(config)# policy-map type inspect ftp mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# mask-banner
hostname(config)# class-map match-all ftp-traffic
hostname(config-cmap)# match port tcp eq ftp
hostname(config)# policy-map ftp-policy
hostname(config-pmap)# class ftp-traffic
hostname(config-pmap-c)# inspect ftp strict mymap
hostname(config)# service-policy ftp-policy interface inside
Cisco Security Appliance Command Line Configuration Guide
25-30
Specify traffic directly in the policy map using one of the match commands described in
•
If you use a match not command, then any traffic that does not match the criterion in the match
not command has the action applied.
21-11.
Chapter 25
Configuring Application Layer Protocol Inspection
"Defining Actions in an Inspection Policy Map" section on
Step
3.
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
