ZBF and non-standart FTP port at the IOS-EX

AllertGen — Tue, 12 Mar 2019 07:04:42 GMT

Hello, everyone.

I have a problem with connection to a FTP server by non-standart port via a router with IOS-EX. Here is what I have at the ZBF rules:

parameter-map type inspect GLOBAL
tcp finwait-time 10
tcp synwait-time 20
tcp max-incomplete host 300 block-time 1
log dropped-packets

class-map type inspect match-any INSPECT_PROTOCOLS
description ---- Global protocols to inspect via ZBF ----
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol sip
match protocol sip-tls
match protocol udp
match protocol tcp

class-map type inspect match-all C_PROHOBITED_ACTIVITY
description ---- Traffic match for Access to Internet ----
match class-map INSPECT_PROTOCOLS
match access-group name ACL_PROHOBITED_ACTIVITY

class-map type inspect match-all C_From_Inet_to_Internal
description ---- Traffic match for Access from Internet ----
match access-group name ACL_From_Inet_to_Internal
match class-map INSPECT_PROTOCOLS

policy-map type inspect P_PROHOBITED_ACTIVITY
description ---- ZBF for Access to Internet ----
class type inspect C_PROHOBITED_ACTIVITY
inspect GLOBAL
class class-default
drop log

policy-map type inspect P_From_Inet_to_Internal
description ---- ZBF for Access from Internet ----
class type inspect C_From_Inet_to_Internal
inspect GLOBAL
class class-default
drop log

#sh access-lists ACL_PROHOBITED_ACTIVITY
Extended IP access list ACL_PROHOBITED_ACTIVITY
10 deny ip object-group Banned_2_Inet any
20 permit ip any any

ip nat inside source list 110 interface Port-channel1 overload

Because of the non standart FTP port I used a command "ip port-map ftp port tcp 2021". But my host still can't transer data to/from a FTP server.

But there is no problem if I'm using a standart 21 port. Here is log from a fail connections:

sh policy-map type inspect zone-pair sessions | s <local host>
         Session ID 0x00105DEF (<local host>:2335)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:10:55, Last heard 00:10:36
          Bytes sent (initiator:responder) [77:290]
         Session ID 0x00105CE0 (<local host>:2055)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:14:05, Last heard 00:13:46
          Bytes sent (initiator:responder) [83:333]
         Session ID 0x00106290 (<local host>:3005)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:00:04, Last heard 00:00:02
          Bytes sent (initiator:responder) [86:333]
         Session ID 0x00105E46 (<local host>:2405)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:09:44, Last heard 00:09:22
          Bytes sent (initiator:responder) [78:290]
         Session ID 0x00106198 (<local host>:2819)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:02:29, Last heard 00:02:04
          Bytes sent (initiator:responder) [77:290]
         Session ID 0x00105AD2 (<local host>:1603)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:19:56, Last heard 00:19:31
          Bytes sent (initiator:responder) [77:290]
         Session ID 0x00105C79 (<local host>:1999)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:15:12, Last heard 00:14:42
          Bytes sent (initiator:responder) [78:290]

         Session ID 0x00106291 (<remote FTP (Internet)>:0)=>(<local host>:3006) ftp-data SIS_PREGEN
          Created 00:00:03, Last heard 00:00:03
          Bytes sent (initiator:responder) [0:0]

sh ip nat tran | i <local host>
tcp <external router IP>:5190    <local host>:3005     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp <external router IP>:5152    <local host>:2819     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp <external router IP>:5154    <local host>:2055     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp <external router IP>:5157    <local host>:1999     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp <external router IP>:5155    <local host>:1603     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp <external router IP>:5124    <local host>:2335     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp <external router IP>:5126    <local host>:2405     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021

I also tryed to do this:

class-map type inspect match-all C_PROHOBITED_ACTIVITY
no match class-map INSPECT_PROTOCOLS

But still no resaults.

So what else I can do to to make it work?

Best Regards.

Hello;

Maykol Rojas — Mon, 04 Jan 2016 20:34:53 GMT

Hello;

Is it possible for you to do the following?

-Create an access-list matching tcp any any eq 2021

-Create a class-map with match all, matching FTP and access-list (match-all)

-Put to inspect.

-Make sure the class is the first one on the policy it should hit.

I remember the ip port mapping capability but I have never used it before other than for CBAC inspection.

Let us know.

Hello, Maykol Rojas.

AllertGen — Fri, 29 Jan 2016 14:45:55 GMT

Hello, Maykol Rojas.

Thank you very much for your interest to my case. In fact I already solved a problem.

Port-map works well. There was a problem at the end side (at the FTP server). Our FTP holder lied to me about FTP server working at the passive mode.

Best Regards.

That happens too.

Maykol Rojas — Fri, 29 Jan 2016 20:29:25 GMT

That happens too.

Thanks for answering back, that would definitely help for me and other ppl in the community.

Mike.

topic ZBF and non-standart FTP port at the IOS-EX in Network Security

ZBF and non-standart FTP port at the IOS-EX

Hello;

Hello, Maykol Rojas.

That happens too.