MPF brainteaser
So I was talking to my co-worker yesterday about how proficient I think I am now configuring and troubleshooting ACE modules... that I can set up a context in minutes, from rservers and serverfarms to class-maps / policy-maps and service-policies.
My co-worker, always ready to challenge everything I say (oh, she's a woman, btw), came in this morning with this scenerio that she was handed a couple days ago... a request from our sun guys, regarding ftp traffic to our server in the dmz (let's call it 172.1.1.1, natted to an inside ip of 192.168.1.1):
We have two suppliers who ftp to us daily... let's say their ip address are 10.1.1.1 and 10.2.1.1 respectively. Only these two ip's are to have the following condition applied... prevent them from PUT'ting any files other then pdf's.
Here goes nothing.
Identify the traffic:
ASA(config)#access-list Partner_FTP permit tcp host 10.1.1.1 host 172.1.1.1 eq ftp
ASA(config)#access-list Partner_FTP permit tcp host 10.2.1.1 host 172.1.1.1 eq ftp
Create a class-map and match traffic and conditions:
ASA(config)#class-map type inspect ftp match-all C-FTP_PUTonlyPDF
ASA(config-cmap)#match access-list Partner_FTP
ASA(config-cmap)#match request-command PUT
ASA(config-cmap)#match filetype regex pdf
Create policy-map and apply action:
ASA(config)#policy-map type inspect ftp P-FTP_PUTonlyPDF
ASA(config-pmap)# C-FTP_PUTonlyPDF
ASA(config-pmap-c)#permit
I believe that my class-map will match partner traffic, and allow them to put pdf's on the server... but implicitly deny all else. I would place the service-policy inbound on the outside interface. What do y'all think?
My co-worker, always ready to challenge everything I say (oh, she's a woman, btw), came in this morning with this scenerio that she was handed a couple days ago... a request from our sun guys, regarding ftp traffic to our server in the dmz (let's call it 172.1.1.1, natted to an inside ip of 192.168.1.1):
We have two suppliers who ftp to us daily... let's say their ip address are 10.1.1.1 and 10.2.1.1 respectively. Only these two ip's are to have the following condition applied... prevent them from PUT'ting any files other then pdf's.
Here goes nothing.
Identify the traffic:
ASA(config)#access-list Partner_FTP permit tcp host 10.1.1.1 host 172.1.1.1 eq ftp
ASA(config)#access-list Partner_FTP permit tcp host 10.2.1.1 host 172.1.1.1 eq ftp
Create a class-map and match traffic and conditions:
ASA(config)#class-map type inspect ftp match-all C-FTP_PUTonlyPDF
ASA(config-cmap)#match access-list Partner_FTP
ASA(config-cmap)#match request-command PUT
ASA(config-cmap)#match filetype regex pdf
Create policy-map and apply action:
ASA(config)#policy-map type inspect ftp P-FTP_PUTonlyPDF
ASA(config-pmap)# C-FTP_PUTonlyPDF
ASA(config-pmap-c)#permit
I believe that my class-map will match partner traffic, and allow them to put pdf's on the server... but implicitly deny all else. I would place the service-policy inbound on the outside interface. What do y'all think?
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.