This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)
!--Enable FTP Passive mode
ftp mode passive
!--Create inspection_default class-map to match the ASA's default inspection traffic
class-map inspection_default
match default-inspection-traffic
!--Add the 'inspection_default' class to the global_policy w/ inspect ftp directive
policy-map global_policy
class inspection_default
inspect ftp
!--Apply the policy globally to all interfaces
service-policy global_policy global
Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as 'protocol fixup' for active FTP.
No comments:
Post a Comment