File Transfer Protocol

Cisco ASA FTP application inspection examines the FTP sessions to provide the following features:

  • Enhanced security while creating dynamic secondary data connections for FTP transfers
  • Enforcement of FTP command-response sequence
  • Generation an audit trail for FTP sessions
  • Translation of embedded IP address

Use the inspect ftp command to enable FTP inspection. The strict keyword (optional) allows the Cisco ASA to prevent client systems from sending embedded commands in FTP requests:

 inspect ftp [strict] ftp-map-name

ftp-map-name is the name of an FTP map used to define FTP request commands to be denied. Example 8-8 demonstrates how to use the inspect ftp strict command in conjunction with an FTP map, called myftpmap, to deny several FTP commands.

Example 8-8. Denying Specific FTP Commands

ftp-map myftpmap

 deny-request-cmd cdup rnfr rnto stor stou


class-map inspection_default

 match default-inspection-traffic


policy-map asa_global_fw_policy

 class inspection_default

 inspect ftp strict myftpmap


The strict option may break FTP sessions from clients that do not comply with the RFC standards; however, it provides more security features.

When the strict option is enabled, the following anomalous activities in FTP commands and replies are denied:

  • The total number of commas in the PORT and PASV reply commands is checked. If they are not 5, the PORT command is considered to be truncated and the connection is closed.
  • The Cisco ASA inspects all FTP commands to see if they end with characters, as specified by the RFC 959, "FTP Protocol". The connection is closed if these are not present.
  • The PORT command is always expected to be sent from the FTP client. If the PORT command is sent from the server, the connection is dropped.
  • The PASV reply command is always expected to be sent from the server. If the PASV command is sent from the client, the connection is dropped.
  • The Cisco ASA checks the negotiated dynamic port value in the passive FTP mode. The port should not be in the range from 1 to 1024, because these are reserved for well-known protocols. The connection is closed if the negotiated port is within this range.
  • The security appliance checks the number of characters included after the port numbers in the PORT and PASV reply commands. The maximum number of characters must be eight. The Cisco ASA closes the TCP connection if the number of character exceeds eight.

The FTP map request-command deny subcommand is used to deny specific FTP commands on the Cisco ASA. Table 8-3 lists all the request-command deny subcommand options that can be restricted under an FTP map.

Table 8-3. List of FTP Commands Available for Restriction




Denies all supported FTP commands


Denies the ability to append to a file


Denies a user request to change to parent of current directory


Restricts the user to access the help information from the FTP server


Denies the retrieval of a file from the FTP server


User is not allowed to rename from a filename


User is not allowed to rename to a specific filename


User not allowed to specify server-specific command


Denies the user permission to store a file


Denies the user permission to store a file with a unique name

The SYST FTP command allows a system to ask for information about the server's operating system. The server accepts this request with code 215 and sends the requested information. The Cisco ASA replaces the FTP server response to the SYST command with an X for each character sent, to prevent FTP clients from seeing the FTP server systemtype information. You can use the no mask-syst-reply subcommand in FTP map configuration mode to disable this default behavior, as shown in Example 8-9.

Example 8-9. mask-syst-reply Subcommand

ftp-map myftpmap

 no mask-syst-reply

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: