In working through Vol 2, Lab 11, I have found that FTP inspections don't work like I would expect them. Specifically in Section 1.6 traffic matching the deny statements do not get inspected with the ftp fixup. I would expect them not to be inspected with the DPI that is tied to CM-FTP. However, failing to match the entire class, one would expect the traffic to be inspected with the "inspect ftp" that is in "inspections_default". However, I cannot make this happen. I am positive that the order of classes are correct and even cleared it and typed line by line according to the detailed solution guide.
The net result or what I is that Acitve mode FTP fails, but I think passive mode would still work. I am using a router as the FTP server. The only fix I have found is to create another class to inspect the traffic that should otherwise default to the global inspect rule. Anyone else seen anything similar. I've fought through this for a few hours, tested quite extensively and even looked through the bug toolkit. FTP Matching the DENY statements fail to be inspected. As a result the PORT command does not get translated. Below was my fix. //FTP that will be reset with stou or put access-list FTP extended deny tcp any 8.9.6.0 255.255.255.0 eq ftp access-list FTP extended permit tcp any any eq ftp //FTP that will be permitted with stou or put access-list OTHERFTP extended permit tcp any 8.9.6.0 255.255.255.0 eq ftp class-map OTHERFTP match access-list OTHERFTP class-map CM-FTP match access-list FTP policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map type inspect ftp PM-FTP parameters match request-command put stou reset log policy-map global_policy class OTHERFTP inspect ftp class CM-FTP inspect ftp strict PM-FTP class inspection_default <--snip--> inspect ftp
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
