Blocking FTP Directory Access for Non-Admin Users on Cisco ASA (Post-9.7)

In earlier versions of Cisco ASA, blocking users from accessing specific FTP directories relied on somewhat complex setups. This involved leveraging regular expressions (regex) within Layer 7 (L7) class maps, matching specific usernames and directory names, and using inspection policies to reset packets when certain conditions were met. While effective, this method had limitations and complexities, such as needing to handle L7 class maps and policy maps in a way that sometimes felt cumbersome.

With the release of Cisco ASA software version 9.7 and beyond, the architecture for configuring such policies has evolved, offering a more streamlined approach with the Advanced Inspection and Prevention Security Services Module (AIP-SSM) and better support for modern application inspection. Here's how to efficiently block non-admin users from accessing a specific FTP directory, such as `/secret`, using modern ASA capabilities.

### Key Changes in Cisco ASA Post-9.7:

1. **Enhanced Protocol Inspection**: The FTP inspection engine has become more robust, allowing for easier manipulation and control of FTP traffic without relying on complex regex patterns.

2. **Simplified Policy Configuration**: Instead of needing to use L7 class maps with regex, ASA 9.7 and later provide more straightforward methods to block access using predefined and customized protocol inspection rules.

3. **Improved Access Control**: Access control based on usernames and directories can now be done more efficiently through protocol-specific inspection mechanisms.

### Steps to Block FTP Access to the `/secret` Directory for All Users Except “admin” (Post-9.7):

#### 1. **Enable FTP Inspection**:

   FTP inspection must be enabled for any traffic inspection and control over the FTP sessions. This is done by default, but it's important to verify.

   

   class-map inspection_default

      match default-inspection-traffic

   policy-map type inspect ftp strict-ftp-map

      parameters

         strict

   service-policy global_policy global

   

   The above configuration ensures FTP traffic is being inspected. In this case, using the `strict` FTP inspection mode is recommended for better control.

#### 2. **Configure an FTP Inspection Policy Map**:

   The FTP inspection engine post-9.7 allows you to set rules that can match FTP commands (such as `CWD` or `RETR`), usernames, and directory names.

   - Define a policy that matches any FTP command where the user is trying to access the `/secret` directory.

   - Also, ensure that only the user “admin” can access this directory, while all other users are blocked.

   

   class-map type inspect ftp match-all FTP_BLOCK_SECRET

      match request-command "USER"

      match request-command "CWD"

      match regex username_not_admin_not_allowed

      match regex secret_directory

   policy-map type inspect ftp FTP_POLICY

      class FTP_BLOCK_SECRET

         reset

   

   In this policy:

   - The `match-all` statement ensures that the class map will only match when both the username and the directory name meet the defined regex conditions.

   - The `reset` action terminates the connection when a non-admin user tries to access the `/secret` directory.

#### 3. **Create Regular Expressions**:

   Since FTP usernames and directory paths can be matched using regex, create the necessary regex patterns to match the conditions. One pattern will match users who are not “admin,” and the other will match the `/secret` directory path.

   

   regex username_not_admin_not_allowed "[^admin]"

   regex secret_directory "^/secret"

   

   These regex patterns:

   - `[^admin]`: This pattern matches any username that is not “admin.”

   - `^/secret`: This pattern matches the directory `/secret`.

#### 4. **Apply the FTP Inspection Policy**:

   Now, apply the inspection policy to the relevant interface (usually the internal network) where FTP traffic originates.

   

   policy-map global_policy

      class inspection_default

         inspect ftp FTP_POLICY

   

   This command ensures that the inspection policy is applied globally across all FTP traffic coming through the ASA firewall.

#### 5. **Test and Monitor**:

   Once the configuration is complete, it is critical to test the setup. You can do this by:

   - Trying to access the `/secret` directory with various usernames, including "admin" and non-admin users.

   - Monitoring the firewall logs to ensure that connections are being reset correctly when unauthorized users try to access the directory.

   You can use the following command to monitor live logs and verify that the FTP inspection policy is functioning as expected:

   

   show logging | include FTP

   

### Benefits of the Post-9.7 Method:

- **Simplified Configuration**: The newer method streamlines the process, making it easier to configure access control based on usernames and directory paths.

- **Better Performance**: The enhanced FTP inspection engine performs better, reducing the need for complex regex matching, which can slow down the inspection process.

- **Improved Flexibility**: With the updated protocol inspection capabilities, it’s easier to create more granular access control policies for specific protocols like FTP.

### Conclusion:

Blocking non-admin users from accessing sensitive directories on an FTP server in Cisco ASA post-9.7 is significantly more straightforward than in earlier versions. By leveraging the enhanced FTP inspection engine and modern class-map configurations, you can efficiently match conditions like usernames and directory paths, ensuring that only authorized users can access specific resources. 

This approach not only improves the security of FTP services but also reduces administrative overhead by simplifying the configuration process. Always ensure that the FTP inspection policies are regularly reviewed and tested to maintain effective security.