Configure Basic FTP Application Inspection

By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you want to alter the global policy, for example, to apply inspection to non-standard ports, or to add inspections that are not enabled by default, you need to either edit the default policy or disable it and apply a new one. For a list of all default ports, refer to the Default Inspection Policy.

1. Issue the policy-map global_policy command.

   ASAwAIP-CLI(config)#policy-map global_policy
   

2. Issue the class inspection_default command.

   ASAwAIP-CLI(config-pmap)#class inspection_default
   

3. Issue the inspect FTP command.

   ASAwAIP-CLI(config-pmap-c)#inspect FTP

4. 
   ASAwAIP-CLI(config)#service-policy global_policy global 
   

 more.. 
 
!--- Permit inbound FTP control traffic. 

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp

!--- Permit inbound FTP data traffic.

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp-data
!

!--- Command to redirect the FTP traffic received on IP 192.168.1.5 
!--- to IP 172.16.1.5.

static (DMZ,outside) 192.168.1.5 172.16.1.5 netmask 255.255.255.255
access-group 100 in interface outside
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
!--- This command tells the device to 
!--- use the "global_policy" policy-map on all interfaces.

service-policy global_policy global