关於FTP端口更改后ASA访问列表设置问题

原创 2007年09月16日 22:56:00
 在Internet 内有一台FTP SERVER,默认FTP端口是21,但为了安全考虑把FTP SERVER的ftp端口改为2000,我在ASA上这样设置访问列表:

access-list inside extended permit tcp host 192.168.0.2  host 10.224.20.14 eq 2000

这样不能访问,但我把FTP SERVER的端口改为默认的端口,我设置如下就能访问,请问怎么解决ftp端口更改后的问题?谢谢!

access-list inside extended permit tcp host 192.168.0.2  host 10.224.20.14 eq ftp
 
 

This is the right configuration:

ASA(config)#class-map ftp_traffic
ASA(config-cmap)#match port tcp eq 2000
ASA(config)#policy-map ftp_traffic_policy
ASA(config-pmap)#class ftp_traffic
ASA(config-pmap-c)#inspect ftp
ASA(config)#service-policy ftp_traffic_policy interface inside
ASA(config)#access-list inside extended permit tcp host 192.168.0.2  host 10.224.20.14 eq 2000


 

Remark:

This document from www.cisco.com

PIX/ASA 7.X: Disable Default Global Inspection and Enable Non-Default Application Inspection

Introduction

This document describes how to remove the default inspection from global policy for an application and how to enable the inspection for a non-default application.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the PIX Security Appliance that runs the 7.x software image.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with the Adaptive Security Appliance (ASA) that runs the 7.x software image.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Default Global Policy

By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can apply only one global policy. If you want to alter the global policy, you must either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy.)

The default policy configuration includes these commands:

In order to disable global inspection for an application, use the no version of the inspect command.

For example, in order to remove the global inspection for the FTP application to which the security appliance listens, use the no inspect ftp command in class configuration mode.

Class configuration mode is accessible from the policy map configuration mode. In order to remove the configuration, use the no form of the command.

pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#no inspect ftp

Note: For more information on FTP inspection, refer to PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example.

Enable Inspection for Non-Default Application

Enhanced HTTP inspection is disabled by default.

In order to enable HTTP application inspection or in order to change the ports to which the security appliance listens, use the inspect http command in class configuration mode.

Class configuration mode is accessible from policy map configuration mode. In order to remove the configuration, use the no form of this command.

When used in conjunction with the http-map argument, the inspect http command protects against specific attacks and other threats that might be associated with HTTP traffic.

For more information on how to use the http-map argument with the inspect http command, refer to the inspect http section of inspect ctiqbe through inspect xdmcp Commands.

In this example, any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface.

hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy global

In this example, any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection.

hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy interface outside

This example shows how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface:

ASA5510映射FTP端口

一、内部服务器搭建并查知和修改端口 二、在ASA上NAT映射端口 三、设置ACL策略并应用到外端口Outside的in方向。 如果映射的不止是一台FTP服务器,就必须修改FTP服务器端口。映射此...
  • gaygm
  • gaygm
  • 2012年03月24日 16:18
  • 1641

思科 CISCO ASA web接口不能访问

今天同事搞cisco的ASA防火墙,配置ASDM,没有搞定。于是,向我求救,好吧那我来看看。 检查http配置 先看了下http配置,已经进行了配置,没有问题。 ciscoasa(con...
  • gtosky4u
  • gtosky4u
  • 2013年12月17日 16:45
  • 8037

vsftp被动模式启用iptables访问设置

http://cache.baiducontent.com/c?m=9d78d513d99803b8599d83797901d6164507c6743da7c7120bc39238c722195500...
  • u013699892
  • u013699892
  • 2015年05月29日 00:08
  • 2003

思科ASA防火墙让内网用户能通过域名访问内网WEB服务器

当主机与某WEB服务器同在防火墙的INSIDE口,但DNS服务器只存在于公网中,(OUTSIDE口)且防火墙上对内网的WEB服务器进行了静态NAT映射以与外界通信并被外界DNS解析,为了防止本地用户在...
  • haixiao1314
  • haixiao1314
  • 2014年04月08日 20:52
  • 1542

js 關於跨域訪問的問題 unoin 之後排序問題

  • 2009年08月05日 11:51
  • 55KB
  • 下载

asa 5512 端口映射问题

hostname ciscoasa enable password UBMuSr2NjOdZ6AiU encrypted xlate per-session deny tcp any4 any4 xl...
  • u013636377
  • u013636377
  • 2015年05月24日 11:46
  • 1319

關於 ATL COM 開發中遇到的"ATL COM automation 服务器不能创建对象"問題

對微軟相當無語,自己搞了個插件框架,搞得想寫個通用的plugin蛋疼死,杯具啊,今天這個問題搞了我整整一天,網上幾乎沒相關提示,結果就是MS所謂的安全問題: 要讓你的控件是安全的。。。 #inc...
  • goki123
  • goki123
  • 2011年08月10日 19:00
  • 558

CISCO ASA5505在只有一个公网地址的情况下,做内部服务器端口映射供外网访问!!

之前在网上找了很多资料,也没能解决。怎么没人说要做映射呢?今天半天时间终于搞定了。端口映射要做双向的,也就是做了内问到外部的映射后,反过来还得做外部到内部的映射。 以下是ASA 5505的配置资料,...
  • Z_liang9053
  • Z_liang9053
  • 2012年02月02日 11:51
  • 3805

android 關於屏蔽Home键的問題

主要用到方法: @Override     public void onAttachedToWindow() {   this.getWindow().setType(WindowManager...
  • dajian790626
  • dajian790626
  • 2012年09月12日 16:17
  • 783

關於數碼相機光圈與景深問題的思考

http://blog.csdn.net/duba_yg/article/details/4304217 前不久,名為通靈鼠的熱心網友在論壇裡做了「關於數碼相機光圈與景深問題的思考」的帖子,...
  • rocky69
  • rocky69
  • 2012年08月09日 10:26
  • 1106
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:关於FTP端口更改后ASA访问列表设置问题
举报原因:
原因补充:

(最多只允许输入30个字)