14-49
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
14






Configuring

Traffic

Policies
Configuring
Rules

and

Actions

for

Policy

Maps


Reply

spoofing—Verifies

that

the

PASV

reply

command

(227)

is

always

sent

from

the

ser

ver.
If
a

PASV

reply

command

is

sent

from

the

client,

the

ACE

denies

the

TCP

connection.

This
denial
pr

events

a

sec

urity

hole

when

the

user

executes

“227

xxxxx

a1,

a2,

a3,

a4,


p1,

p2.”


Invalid

por

t

negot

iation—Checks

the

negotiated

dynamic

por

t

value

to

verify

t

hat

i

t

i

s

greater
than
1024

(port

numbers

in

the

range

from

2

to

1024

are

reserved

for

well-known

connections).
If
the

negotiated

port

falls

in

this

range,

the

ACE

closes

the

TCP

connection.


Command

pipelining—Checks

the

number

of

characters

present

after

the

port

numbers

in

the
PORT
and

PASV

reply

command

against

a

constant

value

of

8.

If

the

number

of

characters

is
greater
than

8,

the

ACE

closes

the

TCP

connection.


Translates
embedded

IP

addresses
in
conjunction

with

NAT.

FTP

command
inspection

translates
the
IP
address

within

the

application

payload.

Ref

er

to

RFC

95

9

for

background

details.
Procedure
Step
1
Choose
Config
>

Devices

>

context

>

Expert

>

Policy

Maps.
The
Pol

icy

Maps

table

appears.
Step
2
In
the

Policy

Maps

table,

choose

the

Layer

7

FTP

command

inspection

policy
map
that
you

want

to

set
rules
and

actions

for.
The
Rule

table

appears.
Step
3
In
the

Rule

table,

click
Add
to

add
a
new

rule,

or
choose
an
existing
rule

and
click
Edit
to

modify

it.
The
Rule

configuration

window

appears.
Step
4
In
the
Type

field

of

the

Rule

configuration

window,

configure

rules

using

the

information
in
Ta
b

l

e
14-20
.
Ta
b

l

e


14-20
Layer
7

FTP

Command

Inspection

Policy

Map

Rules
Option
Description
Class
Map
Class
map

to

use

for

this

traffic

policy.
Do
the

following:
a.
To
use
the

class-default

class

map,
check
the

Use

Class

Default

check

box.
The
class-default

class

map

is

a

reserved,

well-known

class

map

created

by

the

ACE.

You

cannot
delete
or

modify

this

class.

All

traffic

that

fails

to

meet

the

other

matching

criteria

in

the

named
class
map

belongs

to

the

default

traffic

class.

If

none

of

the

specified

classifications

matches

the
traffic,
then

the

ACE

performs

the

action

specified

by

the

class-default

class

map.

The
class-default
class

map

has

an

implicit

match

any

statement

that

enables

it

to

match

all

traffic.
b.
To
use
a

pr

eviously

cr

eated
class
map,

do
the
fol

lowing:
1.
Clear

t

he

Use

Class

Default

ch

eck

box

.
2.
In

the

Class

Map

Name

field,

choose

the

class

map

to

be

used.