This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)
!--Enable FTP Passive mode
ftp mode passive
!--Create inspection_default class-map to match the ASA's default inspection traffic
class-map inspection_default
match default-inspection-traffic
!--Add the 'inspection_default' class to the global_policy w/ inspect ftp directive
policy-map global_policy
class inspection_default
inspect ftp
!--Apply the policy globally to all interfaces
service-policy global_policy global
Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as 'protocol fixup' for active FTP.
Saturday, July 25, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment