FTP
The FTP application inspection inspects FTP sessions and performs four tasks:
■ Prepares a dynamic secondary data connection
■ Tracks the ftp command-response sequence
■ Generates an audit trail
■ Translates the embedded IP address using NAT
FTP application inspection prepares secondary channels for FTP data transfer. The channels
are allocated in response to a file upload, a file download, or a directory listing event, and
they must be prenegotiated. The port is negotiated through the PORT or PASV (227)
commands.
You can use the inspect ftp command in a policy map to inspect the default port assignment
for FTP. The command syntax is as follows:
I [no] inspect ftp [strict]
The strict option prevents web browsers from sending embedded commands in FTP requests.
Each ftp command must be acknowledged before a new command is allowed. Connections
sending embedded commands are dropped. The strict option lets only the server generate the
PASV reply command (227) and lets only the client generate the PORT command. The PASV
reply and PORT commands are checked to ensure that they do not appear in an error string.
If you disable FTP fixups with the no inspect ftp command, inbound FTP is disabled. If you
have FTP servers using ports other than port 20 and 21, you need to use the class-map
command to identify these other traffic flows with their different FTP port numbers.