Re: [OSL | CCIE_Security] Volume 2 Lab 12 Filtering FTP

[Pieter-Jan Nefkens]

Hi Paul, I agree, it looks like the ASA deep packet inspection does not (yet) support the PASV command to filter on, then blocking the whole server, or at least traffic to the FTP server with port range 1024-65535 would be the best way to go.. Pieter-Jan On 11 sep 2009, at 16:30, Paul Stewart wrote: I too thought of blocking the command.  However, it is not a request-command.  The PASV is a response from the server.  So if you look at the deep packet inspection options below, you will see that lacking.  ciscoasa(config)# policy-map type inspect ftp BLAH ciscoasa(config-pmap)# mat ciscoasa(config-pmap)# match ? mpf-policy-map mode commands/options:   filename         Match a filename for FTP transfer   filetype         Match a filetype for FTP transfer   not              Negate this match result   request-command  Match a FTP request command   server           Match a FTP server   username         Match a FTP user ciscoasa(config-pmap)# match req ciscoasa(config-pmap)# match request-command ? mpf-policy-map mode commands/options:   appe  Append to a file   cdup  Change to parent of current directory   dele  Delete a file at server site   get   FTP client command for the retr command - retrieve a file   help  Help information from server   mkd   Create a directory   put   FTP client command for the stor command - store a file   rmd   Remove a directory   rnfr  Rename from   rnto  Rename to   site  Specify server specific command   stou  Store a file with a unique name In response to pjnefk...@nefkensadvies.nl Just an idea, that popped into my mind.. Would it be possible to just disable the pasv command on the command protocol (e.g. enable inspection for a specific class and block the command PASV) That means that only port command is allowed, and passive is/might be disabled / prevented... It's just an idea, don't know if it would work or not.. Suppose that that specific 192.1.49.100 server (let's put it in a real- life situation) is also a webserver, or smtp server, or even worse, streaming server. By doing the deny ip any host 192.1.49.100 you would disable those services as well... I know that might not be the point in the exam, but that specific situation would bother me, since I would be blocking all traffic to that host, just to disable one command in a single protocol.. --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: pjnefk...@nefkensadvies.nl Web: http://www.nefkensadvies.nl/  Think before you print.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com