FTP Inspect on ASA 5520

[GremlinSlayer]

can i implement ftp inspect only on one vpn tunnel and not affect other ftp traffic? i am nat'n the ip and the remote ftp end is rejecting it per the source ip not matching the nat'd ip. i was told to use ftp inspect but i dont want to create more problems. our default is active ftp

this is my concern from cisco's pdf:

If you disable FTP inspection engines with the no inspect ftp command, outbound users can start
connections only in passive mode, and all inbound FTP is disabled.

any suggestions?

 

[Supergrrover]

What you want is a modular policy. Give this a read -

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054d976.html

I have found another article that says that it cannot be done in an ipsec environment (I assume that it means applying it to the tunnel itself) but if you base the policy on destination IP and apply it to the inside interface I believe it would work.

Here is a good description of passive vs. port mode ftp.

http://www.cisco.com/warp/public/117/configuring_FTP.html

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[GremlinSlayer]

ok
thanks for the quick response

 

[GremlinSlayer]

I applied this config and it is currently working with port/active mode - no problems thus far

access-list ftp_inspection permit tcp host x.x.x.x x.x.x.x 255.255.255.248 eq ftp
class-map inspect_ftp
match access-list ftp_inspection


policy-map global_policy
class inspect_ftp
inspect ftp

service-policy ftp_policy interface inside

thanks Brent