Cisco ASA 5506-X Configuration Manual page 158
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
FTP Inspection
Create an FTP inspection policy map:
Step 2
hostname(config)# policy-map type inspect ftp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
(Optional) To add a description to the policy map, enter the following command:
Step 3
hostname(config-pmap)# description string
To apply actions to matching traffic, perform the following steps.
Step 4
Specify the traffic on which you want to perform actions using one of the following methods:
a.
•
•
Specify the action you want to perform on the matching traffic by entering the following command:
b.
hostname(config-pmap-c)# reset [log]
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or
client. Add the log keyword to send a system log message.
You can specify multiple class or match commands in the policy map. For information about the order
of class and match commands, see
Step 5
To configure parameters that affect the inspection engine, perform the following steps:
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
b.
disable the option:
•
•
Example
Before submitting a username and password, all FTP users are presented with a greeting banner. By
default, this banner includes version information useful to hackers trying to identify weaknesses in a
system. The following example shows how to mask this banner:
hostname(config)# policy-map type inspect ftp mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# mask-banner
hostname(config)# class-map match-all ftp-traffic
hostname(config-cmap)# match port tcp eq ftp
hostname(config)# policy-map ftp-policy
hostname(config-pmap)# class ftp-traffic
Cisco ASA Series Firewall CLI Configuration Guide
7-12
If you created an FTP class map, specify it by entering the following command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
Specify traffic directly in the policy map using one of the match commands described for FTP
class maps. If you use a match not command, then any traffic that does not match the criterion
in the match not command has the action applied.
mask-banner—Masks the greeting banner from the FTP server.
mask-syst-reply—Masks the reply to syst command.
Chapter 7
Defining Actions in an Inspection Policy Map, page
Inspection of Basic Internet Protocols
2-4.
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
