I too thought of blocking the command. However, it is not a request-command. The PASV is a response from the server. So if you look at the deep packet inspection options below, you will see that lacking.
ciscoasa(config)# policy-map type inspect ftp BLAH ciscoasa(config-pmap)# mat ciscoasa(config-pmap)# match ? mpf-policy-map mode commands/options: filename Match a filename for FTP transfer filetype Match a filetype for FTP transfer not Negate this match result request-command Match a FTP request command server Match a FTP server username Match a FTP user ciscoasa(config-pmap)# match req ciscoasa(config-pmap)# match request-command ? mpf-policy-map mode commands/options: appe Append to a file cdup Change to parent of current directory dele Delete a file at server site get FTP client command for the retr command - retrieve a file help Help information from server mkd Create a directory put FTP client command for the stor command - store a file rmd Remove a directory rnfr Rename from rnto Rename to site Specify server specific command stou Store a file with a unique name In response to [email protected] Just an idea, that popped into my mind.. Would it be possible to just disable the pasv command on the command protocol (e.g. enable inspection for a specific class and block the command PASV) That means that only port command is allowed, and passive is/might be disabled / prevented... It's just an idea, don't know if it would work or not.. Suppose that that specific 192.1.49.100 server (let's put it in a real- life situation) is also a webserver, or smtp server, or even worse, streaming server. By doing the deny ip any host 192.1.49.100 you would disable those services as well... I know that might not be the point in the exam, but that specific situation would bother me, since I would be blocking all traffic to that host, just to disable one command in a single protocol..
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
