HOW TO: FTP Advanced Inspection on Cisco ASA

Follow by Email

In this article, I will demonstrate how to configure an advanced FTP inspection on a Cisco ASA firewall. I recently came across this requirement from one of my friends so thought of documenting the requirement and solution here as well.

Here is the requirement:

There is an FTP server located in DMZ segment of the Cisco ASA firewall at This FTP server is listening for all FTP connections on non-standard TCP port 2021. Configure ASA so that it resets any connection coming in from the OUTSIDE segment to that DMZ FTP server on TCP port 2021, containing one of the following commands: DELETE, PUT

Understand the requirement.

This task requires configuration of deep packet inspection for FTP, which can be done using MPF (Modular policy framework). We’re required to reset packets containing some FTP commands. Also, NOTE that FTP server is listening for all FTP connections on TCP 2021 (not on standard FTP ports). To do that, ASA must be able to properly recognize the traffic (as FTP) and then check some fields inside FTP header/body to perform some actions (reset in this scenario). When we see a requirement for checking something which is protocol specific we should automatically start thinking about L7 class maps and policy maps.


So first of all, we need to create a layer 7 policy map (type inspect for FTP protocol) and match required commands inside the FTP packets (we can also use layer 7 class map here and match it under layer 7 policy map but since we can match FTP commands using only one configuration line we can do that directly under the layer 7 policy map). Here is how you can do that.

ASA(config)# policy-map type inspect ftp PM_FTP 
ASA(config-pmap)# match request-command DELE PUT
ASA(config-pmap-c)# reset

There is also need for layer 3/4 class-map matching traffic using an access-list. The access-list is required here as we need to specify the destination IP address and the port (if we’d need to match all FTP traffic, the better option is to use “match port” statement). Here is how you can do that.

ASA(config)# access-list DMZ_FTP permit tcp any host eq 2021
ASA(config)# class-map CM_FTP_2021
ASA(config-cmap)# match access-list DMZ_FTP

Layer 7 policy maps cannot be applied directly to the interface or at the global level. Instead, they first need to be applied under layer 3/4 policy-map when specifying the inspection. Here is how you can do that.

ASA(config)# policy-map global_policy
ASA(config-pmap)# class CM_FTP_2021
ASA(config-pmap-c)# inspect ftp strict PM_FTP

The last thing is to assign layer 3/4 policy-map to the interface and since we want to protect our FTP server located in DMZ by resetting some commands which can be sent over from an FTP client (located on the OUTSIDE networks) we must do it on the OUTSIDE interface.

ASA(config)# service-policy OUTSIDE_MPF interface OUTSIDE
ASA(config)# show service-policy inspect ftp

Global policy:
 Service-policy: global_policy
   Class-map: inspection_default
     Inspect: ftp, packet 0, drop 0, reset-drop 0

Interface OUT: Service-policy: OUTSIDE_MPF
 Class-map: CM_FTP_2021
   Inspect: ftp strict PM_FTP, packet 0, drop 0, reset-drop 0
     match request-command appe put dele rmd
       reset, packet 0

I hope you enjoyed reading this article. Feel free to leave any comments or feedback.

Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)