Configure basic FTP inspection on cisco ASA

By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the default policy or disable it and apply a new one. For a list of all default ports

Issue the policy-map global_policy command.

ASAwAIP-CLI(config)#policy-map global_policyIssue the class inspection_default command.

ASAwAIP-CLI(config-pmap)#class inspection_defaultIssue the inspect FTP command.

ASAwAIP-CLI(config-pmap-c)#inspect FTPThere is an option to use the inspect FTP strict command. This command increases the security of protected networks by preventing a web browser from sending embedded commands in FTP requests.

EXAMPLE CONFIGURATION:

ASA-AIP-CLI(config)#show running-config

ASA Version 7.2(2)
!
hostname ASA-AIP-CLI
domain-name corp.com
enable password WwXYvtKrnjXqGbu1 encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.1.12 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!

!--- Output is suppressed.


!--- Permit inbound FTP control traffic.

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp

!--- Permit inbound FTP data traffic.

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp-data
!

!--- Command to redirect the FTP traffic received on IP 192.168.1.5
!--- to IP 172.16.1.5.

static (DMZ,outside) 192.168.1.5 172.16.1.5 netmask 255.255.255.255
access-group 100 in interface outside
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!

!--- This command tells the device to
!--- use the "global_policy" policy-map on all interfaces.

service-policy global_policy global
prompt hostname context
Cryptochecksum:4b2f54134e685d11b274ee159e5ed009
: end
ASA-AIP-CLI(config)#


This Article has been referred from http://www.cisco.com