February 6, 2012

Posts Comments

You are here: Home / 2008 / Archives for May 2008

How-to: MPF on ASA to deny FTP Commands.

May 21, 2008 By Leave a Comment
I was reviewing the FTP Protocol Handling options of the ASA and it made me curious. One section of the SNPA book says they with the "Strict" option it does not allow embeded commands to be sent through a browser. It made me wonder, do people still use a web browser to FTP? Personally I use WSFTP or FireFTP on my Windows machine and CyberDuck on my Mac.

Well enough of that, so that you actually gain some sort of knowledge from this post I've decided to stick with some Modular Policy Framework today. The following config is related to FTP Protocol Inspection:

Start by making an FTP connection through the ASA. With default values it should work. You'll need to download a file to make sure that both the data channel and the control channel are working properly.

Next, create a policy-map type-inspect for FTP. THis is where you are going to specify that commands you want to deny. In this case we are going to say that the "get" command is not allowed. If the "get" is matched the action to be performed is a reset.

MyAsa(config)# policy-map type inspect ftp BLOCK_GET
MyAsa(config-pmap)# match request-command get
MyAsa(config-pmap-c)#reset
MyAsa(config-pmap-c)#exit
MyAsa(config-pmap)#exit

Next you want to apply the inspection policy map but you cant apply it all by itself. You have to apply it within a L3/L4 policy map. In the following configuration we are going to use the existing "global_policy" to apply out reset to FTP. You'll access the class inspection_default which is what the ASA uses to identify FTP traffic on TCP port 21. Use the "inspect" command to tell the ASA to inspect FTP, add the "strict" option and tie it to the policy-map type inspect that we created earlier.

MyAsa(config)# policy-map global_policy
MyAsa(config-pmap)# class inspection_default
MyAsa(config-pmap-c)# inspect ftp strict BLOCK_GET
MyAsa(config-pmap-c)# exit
MyAsa(config-pmap)# exit
MyAsa(config)#

The way that you test this is by dropping the previous FTP connection that you had up, and establish it again. The connection should establish. It looks like it works, but as soon as you try to grab something the FTP application you are using sends a "get" and the connection is reset. Use the following show command to verify.

MyAsa(config)# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default

<—-text omitted—–>

Inspect: ftp strict BLOCK_GET, packet 105, drop 0, reset- drop 12

Thats it for today. Don't forget to subscibe to this blog for more how-to's like this.
Filed Under: CCIE Security

IE-WB-2 Lab 1. I'm finally digging in.

May 20, 2008 By Leave a Comment
Man it has been tough. To start I taught an SMN class (Cisco Security Manager) Monday. I had rack time scheduled from 3pm and I booked 2 sessions so that I could work for a while. At 7:30 I had only accomplished Part 1, all tasks, but its the basic setup and it should have flown by in a few minutes. Either way it shows that study time can really be wasted with distractions. The big distraction I have right now is that 5 chapters of my book were due on Friday and I am not totally done with them. In fact I just got access to some WLC’s today that I need for screen shots. At any rate, I went at it until 10:40pm and my eyes are hazy. My wife is asleep on the couch and my newborn, (3 weeks old) is getting fussy. Time to wake up Mom. Before I go however, here are the highlights from what I did- General Setup. Easy stuff with the PIX, basic ACLs and such. A failover config on the ASA and some OSPF authentication. No rack time until Wednesday. Tuesday Night Ill watch some Advanced Technologies CoD. Bed Time…
Filed Under: CCIE Security, IE Labs

E-Learning: Is it worth it?

May 20, 2008 By Leave a Comment

Today I am supposed to be teaching an online class.  The problem is that the agenda isnt working and i have no slides to present.  You would think that this is a no brainer but its not.  Probably because we use a system called Centra Symposium.  Not the greatest environment I’ve worked in, however from an instructors perspective here is my take:



On the Plus Side:



  • It has great tools – thats a plus
    • Whiteboard


    • Web Safari


    • Markup for slides


  • It has chat in addition to VoIP



On the negative side:



  • Its hard to manage a class on the backend.
    • All Slides need to be uploaded ahead of time.  An instructor cant use his or her own slides.


  • You can markup a slide and save it to the agenda on the fly but it gets lost at the end of the agenda

I’m sure there is more but I’ll leave it at that.  But what about the others?  Personally I have used Adobe Connect, Microsoft Live Meeting, and MeetingPlace.  They have have their strong points.  The one I like the least is MeetingPlace.  The one I like the best is Microsoft Live Meeting 8 as it has the ease of grabbing my own slides and the audio seems to be good.

As far as Adobe Connect goes, I’m a mixed review.  As an instructor I didn’t like it because my audio seemed to fade in and out.  As a Student I took the CCIE Bootcamp from Internetwork Expert and they did a GREAT job.  The interface was smooth and I didnt have any issues.  The voice quality was good and I really enjoyed the experience.

Well thats my rant for now.  Feel Free to comment.  I’d love to know what you think or what your experiences have been.  Also, don’t forget to subscribe if you haven’t already. 

Filed Under: CCIE Security
« Older Posts
Newer Posts »