In this article, I will demonstrate how to configure an advanced FTP inspection on a Cisco ASA firewall. I recently came across this requirement from one of my friends so thought of documenting the requirement and solution here as well.
Here is the requirement:
There is an FTP server located in DMZ segment of the Cisco ASA firewall at 10.10.10.10. This FTP server is listening for all FTP connections on non-standard TCP port 2021. Configure ASA so that it resets any connection coming in from the OUTSIDE segment to that DMZ FTP server on TCP port 2021, containing one of the following commands: DELETE, PUT
Understand the requirement.
This task requires configuration of deep packet inspection for FTP, which can be done using MPF (Modular policy framework). We’re required to reset packets containing some FTP commands. Also, NOTE that FTP server is listening for all FTP connections on TCP 2021 (not on standard FTP ports). To do that, ASA must be able to properly recognize the traffic (as FTP) and then check some fields inside FTP header/body to perform some actions (reset in this scenario). When we see a requirement for checking something which is protocol specific we should automatically start thinking about L7 class maps and policy maps.
So first of all, we need to create a layer 7 policy map (type inspect for FTP protocol) and match required commands inside the FTP packets (we can also use layer 7 class map here and match it under layer 7 policy map but since we can match FTP commands using only one configuration line we can do that directly under the layer 7 policy map). Here is how you can do that.
ASA(config)# policy-map type inspect ftp PM_FTP ASA(config-pmap)# match request-command DELE PUT ASA(config-pmap-c)# reset
There is also need for layer 3/4 class-map matching traffic using an access-list. The access-list is required here as we need to specify the destination IP address and the port (if we’d need to match all FTP traffic, the better option is to use “match port” statement). Here is how you can do that.
ASA(config)# access-list DMZ_FTP permit tcp any host 10.10.10.10 eq 2021
ASA(config)# class-map CM_FTP_2021 ASA(config-cmap)# match access-list DMZ_FTP
Layer 7 policy maps cannot be applied directly to the interface or at the global level. Instead, they first need to be applied under layer 3/4 policy-map when specifying the inspection. Here is how you can do that.
ASA(config)# policy-map global_policy ASA(config-pmap)# class CM_FTP_2021 ASA(config-pmap-c)# inspect ftp strict PM_FTP
The last thing is to assign layer 3/4 policy-map to the interface and since we want to protect our FTP server located in DMZ by resetting some commands which can be sent over from an FTP client (located on the OUTSIDE networks) we must do it on the OUTSIDE interface.
ASA(config)# service-policy OUTSIDE_MPF interface OUTSIDE
ASA(config)# show service-policy inspect ftp Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp, packet 0, drop 0, reset-drop 0 Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_FTP_2021 Inspect: ftp strict PM_FTP, packet 0, drop 0, reset-drop 0 match request-command appe put dele rmd reset, packet 0
I hope you enjoyed reading this article. Feel free to leave any comments or feedback.