Paul,
I will probably have to go back and retest this section. Looking at the solution guide it doesn't look like I tested it to make sure it works so I will probably have to come out with an update for this section. I am not sure right now on this one without further testing. I will let all of you know sometime this week. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Friday, September 11, 2009 10:30 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] Volume 2 Lab 12 Filtering FTP I too thought of blocking the command. However, it is not a request-command. The PASV is a response from the server. So if you look at the deep packet inspection options below, you will see that lacking. ciscoasa(config)# policy-map type inspect ftp BLAH ciscoasa(config-pmap)# mat ciscoasa(config-pmap)# match ? mpf-policy-map mode commands/options: filename Match a filename for FTP transfer filetype Match a filetype for FTP transfer not Negate this match result request-command Match a FTP request command server Match a FTP server username Match a FTP user ciscoasa(config-pmap)# match req ciscoasa(config-pmap)# match request-command ? mpf-policy-map mode commands/options: appe Append to a file cdup Change to parent of current directory dele Delete a file at server site get FTP client command for the retr command - retrieve a file help Help information from server mkd Create a directory put FTP client command for the stor command - store a file rmd Remove a directory rnfr Rename from rnto Rename to site Specify server specific command stou Store a file with a unique name In response to [email protected] Just an idea, that popped into my mind.. Would it be possible to just disable the pasv command on the command protocol (e.g. enable inspection for a specific class and block the command PASV) That means that only port command is allowed, and passive is/might be disabled / prevented... It's just an idea, don't know if it would work or not.. Suppose that that specific 192.1.49.100 server (let's put it in a real- life situation) is also a webserver, or smtp server, or even worse, streaming server. By doing the deny ip any host 192.1.49.100 you would disable those services as well... I know that might not be the point in the exam, but that specific situation would bother me, since I would be blocking all traffic to that host, just to disable one command in a single protocol..
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
