关於FTP端口更改后ASA访问列表设置问题
2007-09-16 22:56
591 查看
在Internet 内有一台FTP SERVER,默认FTP端口是21,但为了安全考虑把FTP SERVER的ftp端口改为2000,我在ASA上这样设置访问列表:
access-list inside extended permit tcp host 192.168.0.2 host 10.224.20.14 eq 2000
这样不能访问,但我把FTP SERVER的端口改为默认的端口,我设置如下就能访问,请问怎么解决ftp端口更改后的问题?谢谢!
access-list inside extended permit tcp host 192.168.0.2 host 10.224.20.14 eq ftp
[align=left] [/align]
[align=left] [/align]
ASA(config-cmap)#match port tcp eq 2000
ASA(config)#policy-map ftp_traffic_policy
ASA(config-pmap)#class ftp_traffic
ASA(config-pmap-c)#inspect ftp
ASA(config)#service-policy ftp_traffic_policy interface inside
ASA(config)#access-list inside extended permit tcp host 192.168.0.2 host 10.224.20.14 eq 2000[/align]
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The default policy configuration includes these commands:
[align=left][/align]
In order to disable global inspection for an application, use the no version of the inspect command.
For example, in order to remove the global inspection for the FTP application to which the security appliance listens, use the no inspect ftp command in class configuration mode.
Class configuration mode is accessible from the policy map configuration mode. In order to remove the configuration, use the no form of the command.
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#no inspect ftp
Note: For more information on FTP inspection, refer to PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example.
In order to enable HTTP application inspection or in order to change the ports to which the security appliance listens, use the inspect http command in class configuration mode.
Class configuration mode is accessible from policy map configuration mode. In order to remove the configuration, use the no form of this command.
When used in conjunction with the http-map argument, the inspect http command protects against specific attacks and other threats that might be associated with HTTP traffic.
For more information on how to use the http-map argument with the inspect http command, refer to the inspect http section of inspect ctiqbe through inspect xdmcp Commands.
In this example, any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface.
hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy global
In this example, any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection.
hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy interface outside
This example shows how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface:
access-list inside extended permit tcp host 192.168.0.2 host 10.224.20.14 eq 2000
这样不能访问,但我把FTP SERVER的端口改为默认的端口,我设置如下就能访问,请问怎么解决ftp端口更改后的问题?谢谢!
access-list inside extended permit tcp host 192.168.0.2 host 10.224.20.14 eq ftp
[align=left] [/align]
[align=left] [/align]
This is the right configuration:
[align=left]ASA(config)#class-map ftp_trafficASA(config-cmap)#match port tcp eq 2000
ASA(config)#policy-map ftp_traffic_policy
ASA(config-pmap)#class ftp_traffic
ASA(config-pmap-c)#inspect ftp
ASA(config)#service-policy ftp_traffic_policy interface inside
ASA(config)#access-list inside extended permit tcp host 192.168.0.2 host 10.224.20.14 eq 2000[/align]
Remark:
This document from www.cisco.com
PIX/ASA 7.X: Disable Default Global Inspection and Enable Non-Default Application Inspection
Introduction
This document describes how to remove the default inspection from global policy for an application and how to enable the inspection for a non-default application.Prerequisites
Requirements
There are no specific requirements for this document.Components Used
The information in this document is based on the PIX Security Appliance that runs the 7.x software image.The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with the Adaptive Security Appliance (ASA) that runs the 7.x software image.Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.Default Global Policy
By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can apply only one global policy. If you want to alter the global policy, you must either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy.)The default policy configuration includes these commands:
[align=left][/align]
In order to disable global inspection for an application, use the no version of the inspect command.
For example, in order to remove the global inspection for the FTP application to which the security appliance listens, use the no inspect ftp command in class configuration mode.
Class configuration mode is accessible from the policy map configuration mode. In order to remove the configuration, use the no form of the command.
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#no inspect ftp
Note: For more information on FTP inspection, refer to PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example.
Enable Inspection for Non-Default Application
Enhanced HTTP inspection is disabled by default.In order to enable HTTP application inspection or in order to change the ports to which the security appliance listens, use the inspect http command in class configuration mode.
Class configuration mode is accessible from policy map configuration mode. In order to remove the configuration, use the no form of this command.
When used in conjunction with the http-map argument, the inspect http command protects against specific attacks and other threats that might be associated with HTTP traffic.
For more information on how to use the http-map argument with the inspect http command, refer to the inspect http section of inspect ctiqbe through inspect xdmcp Commands.
In this example, any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface.
hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy global
In this example, any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection.
hostname(config)#class-map http_traffic
hostname(config-cmap)#match port tcp eq 80
hostname(config)#policy-map http_traffic_policy
hostname(config-pmap)#class http_traffic
hostname(config-pmap-c)#inspect http
hostname(config)#service-policy http_traffic_policy interface outside
This example shows how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface:
相关文章推荐
- 设置WINDOWS2003服务器的允许外界访问端口,远程桌面的端口更改
- 各品牌路由器更改设置端口映射实现外网访问内网点(如:OA)的方法
- 路由器映射端口设置后外网不能访问主页问题
- 设置网站匿名访问后无法匿名访问列表内容问题解决
- iptables端口转发访问ftp nat设置详解
- 资源的访问控制列表(ACL)配置或加密设置,无权访问的问题。
- IIS中遇到无法预览的问题(HTTP 错误 401.3 - Unauthorized 由于 Web 服务器上此资源的访问控制列表(ACL)配置或加密设置,您无权查看此目录或页面。)
- IIS中遇到无法预览的问题(HTTP 错误 401.3 - Unauthorized 由于 Web 服务器上此资源的访问控制列表(ACL)配置或加密设置,您无权查看此目录或页面。)
- suse防火墙SuSEfirewall2 设置 指定地址访问制定端口
- Ubuntu Server 16.04安装MySQL设置远程访问出现问题的完美解决方案(error:10061)
- weblogic下同域不同端口下的跨域问题解决-设置session
- 访问服务器ftp的问题
- Linux下mysql端口不能远程访问的问题(1)-user表
- 资源:计算机端口详细列表——防火墙设置必备参考
- server 2003 访问FTP站点下载文件,提示当前的安全设置不允许从该位置下载文件
- (原创)项目部署-Tomcat设置默认访问项目及项目重复加载问题处理
- word2007的问题 此错误通常是由宏安全性设置造成的。如果您知道宏来自您信任的来源,则可将宏安全性设置更改为允许启用宏。宏安全性设置的更改方式取决于您使用的 Microsoft Office System 程序 解决方法
- 解决WinForm中ComboBox控件的“设置"DataSourse”属性后无法修改项集合”以及两个不相关联的ComboxBox控件实现数据列表显示不可实现的问题
- 解决WordPress设置错误的url网站不能访问的问题
- Server2003系统上的内置服务器设置某类IP无法访问问题