Cisco suggestion for this: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies the ports, and assign it to a new class map: hostname(config)# *access-list ftp_inspect extended permit tcp any any eq 21* hostname(config)# *access-list ftp_inspect extended permit tcp any any eq 1056* hostname(config)# *class-map new_inspection* hostname(config-cmap)# *match access-list ftp_inspect* It has to have something that triggers it as FTP like Tacack has said That's my guess * * On Mon, Dec 27, 2010 at 10:59 AM, Vybhav Ramachandran <[email protected]>wrote: > Hello Johan, > > My guess would be, we are instructing the ASA to look into the traffic > going to port 21021 for FTP commands. So i think the ASA assumes the traffic > is FTP and looks for the PASV and PORT ftp commands. Once it finds that, it > goes about doing it's normal FTP inspection. > > Atleast that's my theory :) > > Cheers, > TacACK > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
