Hi Johan, don't forget that you have to remove the inspect ftp from the class
inspection-default
i.e
config t
policy-map global_policy
class inspection_default
no inspect ftp
!
Then,,,,,
class-map CUSTOM_FTP
match port tcp eq 21021
policy-map global_policy
class CUSTOM_FTP
inspect ftp-----its as good as doing PAM with ASA...
________________________________
From: Johan Bornman <[email protected]>
To: OSL Security <[email protected]>
Sent: Mon, December 27, 2010 1:27:59 PM
Subject: [OSL | CCIE_Security] Lab 11 Task 1.7
Hi,
Custom inspection is done on ftp, port 21021.
The solution from the WB:
class-map CUSTOM_FTP
match port tcp eq 21021
policy-map global_policy
class CUSTOM_FTP
inspect ftp
My question is about the ftp keyword under the global_policy.
1. How does the ASA know that the new custom ftp port must also include 21021?
2. Will the ftp keyword also include port 21?
Thanks
Johan
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
