Issue:

How to restrict FTP commands to allow downloads from certain ftp servers. Default ftp inspection allows all ftp commands and allows all downloads/uploads. If you would like to restrict downloads or uploads to and from certain ftp servers, please refer to following sample configuration.

Solution:

1.  Create an access-list to specify list of IPs where FTP updates are okay:

access-list Test_FTP permit tcp any host 10.1.1.1 eq 21

access-list Test_FTP permit tcp any host 10.1.1.2 eq 21

access-list Test_FTP permit tcp any host 10.1.1.3 eq 21

2.  Create a class-map matching the above access-list

class-map Test_FTP

match access-list Test_FTP

3. Create a class-map to inspect ftp commands

class-map type inspect ftp match-any FTP-deny-updates

match request-command  get

The example only showing ‘get’ command however you can match any ftp commands in the above class-map.

3. Create a matching inspect policy-map to match the above inspect class-map

policy-map type inspect ftp FTP-deny-updates

parameters

class FTP-deny-updates

  reset log

4. Create a separate interface policy to apply default inspection to allow all FTP commands.

policy-map interface-policy

class Test_FTP

  inspect ftp

Default FTP inspection will be applied to the matching traffic in access-list created in step # 1 therefore all ftp commands will be allowed.

5. Non matching traffic in step 4 will be applied global default inspection policy with strict FTP inspecton restricting  FTP command Get,

policy-map global_policy

class inspection-default

  inspect ftp strict FTP-deny-updates

6.  Apply the policies to the interfaces,

service-policy interface_policy interface inside

service-policy global_policy interface global

Conclusion:

The above configuration will allow FTP downloads from the servers matching in interface policy and will restrict all other FTP downloads matching in the global policy.