Saturday, July 25, 2009

Enable DOS FTP client through ASA

This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)

!--Enable FTP Passive mode
ftp mode passive

!--Create inspection_default class-map to match the ASA's default inspection traffic
class-map inspection_default
match default-inspection-traffic

!--Add the 'inspection_default' class to the global_policy w/ inspect ftp directive
policy-map global_policy
class inspection_default
inspect ftp

!--Apply the policy globally to all interfaces
service-policy global_policy global

Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as 'protocol fixup' for active FTP.

No comments:

Post a Comment