By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the default policy or disable it and apply a new one. For a list of all default ports

1. Issue the policy-map global_policy command.
   

   ASAwAIP-CLI(config)#policy-map global_policy

2. Issue the class inspection_default command.
   

   ASAwAIP-CLI(config-pmap)#class inspection_default

3. Issue the inspect FTP command.
   

   ASAwAIP-CLI(config-pmap-c)#inspect FTP

   There is an option to use the inspect FTP strict command. This command increases the security of protected networks by preventing a web browser from sending embedded commands in FTP requests.

Example Configuration

ASA-AIP-CLI(config)#show running-config 

 ASA Version 7.2(2)
!
hostname ASA-AIP-CLI
domain-name corp.com
enable password WwXYvtKrnjXqGbu1 encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
  security-level 50
  ip address 172.16.1.12 255.255.255.0
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
  no nameif
 no security-level
 no ip address
!

!--- Output is suppressed.


!--- Permit inbound FTP control traffic. 

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp

!--- Permit inbound FTP data traffic.

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp-data
!

!--- Command to redirect the FTP traffic received on IP 192.168.1.5
!--- to IP 172.16.1.5.

static (DMZ,outside) 192.168.1.5 172.16.1.5 netmask 255.255.255.255
access-group 100 in interface outside
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!

!--- This command tells the device to
!--- use the "global_policy" policy-map on all interfaces.

service-policy global_policy global
prompt hostname context
Cryptochecksum:4b2f54134e685d11b274ee159e5ed009
: end
ASA-AIP-CLI(config)#

This Article has been referred from http://www.cisco.com

Tags:asa, cisco, command, configure, edit, edition, enable, interface, listing, netmask, networking, passwords, pix, port, ports, prevent, protect, protection, protocol, redirection, secure, Security, traffic

Liked this article? To continue getting our latest free Howtos and Tutorials,
you can also grab the RSS feed or Subscribe to Techgurulive by Email

Not Getting

Related posts

A web application firewall that can work either embedded or as a reverse proxy – ModSecurity

How to configure the Default Route in Cisco Firewalls