ASA - FTP Inspection

 

Assumptions

All changes we do in global service-police but you can change it if you wish

After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)

 

 FTP Inspection can work in layer 3/4 and 7. Standard inspection is in layer 3/4 and is responsible for:

  • Prepares dynamic secondary data connection
  • Tracks the FTP command-response sequence
  • Generates an audit trail
  • Translates the embedded IP address

 When FTP inspection is disabled only outbound FTP  connections are allowed and only in passive mode.

 

Default Inspection on ASA

# sh running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 768
id-mismatch action log
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect skinny
inspect sip
inspect rsh
inspect netbios
inspect rtsp
inspect ipsec-pass-thru
inspect dns preset_dns_map
inspect ftp
inspect pptp
inspect icmp
class IPS_traffic
ips inline fail-close
class class-default
set connection decrement-ttl

 

EXAMPLE 1

  • Enabling standard inspection with "Strict" option.

Strict option prevents from sending embedded commands in FTP requrests and each command must be acknowledged before a new command is allowed. All FTP communication must comply with RFC standards.

(config)# policy-map global_policy

(config-pmap)# class inspection_default

(config-pmap-c)# inspect ftp strict

(config-pmap-c)# exit

(config-pmap)# exit


Test has been done by FileZill FTP Client and all was OK.

Inspect: ftp strict, packet 41, drop 0, reset-drop 0

 

 EXAMPLE 2

  • Disabling deleting files and folders on FTP server
 

(config)# policy-map type inspect ftp danpol-ftp

(config-pmap)# match request-command dele rmd

(config-pmap-c)# reset log

(config-pmap-c)# exit

(config-pmap)# exit

(config)# policy-map global_policy

(config-pmap)# class inspection_default

(config-pmap-c)# inspect ftp strict danpol-ftp

(config-pmap-c)# exit

(config-pmap)# exit

 

TEST

Mar 07 2013 21:02:13: %ASA-5-303005: Strict FTP inspection matched request-command dele rmd in policy-map danpol-ftp, Reset connection from outside:x.x.x.x/1989 to inside:10.10.1.10/21
Mar 07 2013 21:02:13: %ASA-4-507003: tcp flow from outside:x.x.x.x/1989 to inside:10.10.1.10/21 terminated by inspection engine, reason - inspector reset unconditionally.
Mar 07 2013 21:02:13: %ASA-6-302014: Teardown TCP connection 28517 for outside:x.x.x.x/1989 to inside:10.10.1.10/21 duration 0:00:19 bytes 224 Flow closed by inspection

 1.PNG

 RED Line means "Connection reset by Server" - in our case by ASA but FTP client does not know.

 Inspect: ftp strict danpol-ftp, packet 99, drop 0, reset-drop 2


EXAMPLE 3

  •  Mask FTP Baner and server responses
Below current baner

 2.PNG

(config)# policy-map type inspect ftp danpol-ftp

(config-pmap)# parameters

(config-pmap-p)# mask-banner

 

(config)#mask-syst-reply


(config-pmap-p)# exit

(config-pmap)# exit

 

TEST

3.PNG

Instead of baner you see "**********"

 

EXAMPLE 4

  •  Block to login user "test"
 

(config)# regex FTP_TEST_USER "test"

(config)# policy-map type inspect ftp danpol-ftp

(config-pmap)# match username regex FTP_TEST_USER

(config-pmap-c)# reset log

(config-pmap-p)# exit

(config-pmap)# exit

 

 TEST

 

4.PNGRED - User cannot connect

Mar 07 2013 22:28:00: %ASA-5-303005: Strict FTP inspection matched username regex FTP_TEST_USER in policy-map danpol-ftp, Reset connection from outside:x.x.x.x/2349 to inside:10.10.1.10/21

 

 EXAMPLE 5

  • Do not allow to upload mp3 files

(config)#regex mp3 "\.mp3"

(config)# policy-map type inspect ftp danpol-ftp

(config-pmap)# match filetype regex mp3

(config-pmap-c)# reset log

(config-pmap-c)# exit

(config-pmap)# exit

 

TEST

5.PNG

RED - Connection reset by server. File Transfer failed.

Mar 07 2013 22:56:13: %ASA-5-303005: Strict FTP inspection matched filetype regex mp3 in policy-map danpol-ftp, Reset connection from outside:x.x.x.x/2566 to inside:10.10.1.10/21

 
 

 EXAMPLE 6

  • Deny all users access to resources  in folder named "test".
Users are able to jump to folder but they will no see any files.
 

(config)# regex FTP_PATH_ACCESS "\/test"

(config)# policy-map type inspect ftp danpol-ftp

(config-pmap)# match filename regex FTP_PATH_ACCESS

(config-pmap-c)# reset log

(config-pmap-c)# exit

(config-pmap)# exit

 

TEST

 Mar 07 2013 23:20:13: %ASA-5-303005: Strict FTP inspection matched filename regex FTP_PATH_ACCESS in policy-map danpol-ftp, Reset connection from outside: x.x.x.x/2656 to inside:10.10.1.10/21

 

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.