topic Hi Maykol, in Network Security

FTP ALLOWED

Hugo Rosado — Tue, 12 Mar 2019 06:56:38 GMT

Hi Guys,

Im trying to allow FTP traffic into my Synology FTP server from the WAN into the LAN, when I simulate this on Packet tracer it says traffic is allowed but this is not true when I test it, I have ios 9.1(5), when I have a look at Syslog I cannot see any FTP traffic coming trough my firewall, neither can see FTP traffic when I do a capture,the ISO says FTP traffic is allowed but I canno see any traces of it touching the firewall, this is driving me mad

[[{"type":"media","fid":"1221681","view_mode":"default","link_text":null,"attributes":{"alt":"Packet tracer","title":"Packet tracer","height":"656","width":"1065","class":"image-style-none media-element file-default"}}]]

Hi Hugo,

Rishabh Seth — Tue, 24 Nov 2015 18:21:44 GMT

Hi Hugo,

I would suggest you to check if ftp inspection is enabled or not. In case you are using passive ftp to connect to the server behind ASA and you are using NAT then enable ftp inspection.

You have also mentioned that you not receiving any traffic. So do you mean that you do not even see SYN packet in captures? If this is the case then check upstreams devices and configure proper routing to route traffic to ASA.

Thanks

Rishabh Seth

PS: Rate if it helps

HI Rishabh,

Hugo Rosado — Tue, 24 Nov 2015 18:27:47 GMT

HI Rishabh,

Thanks for your answer, I have tried both ways, FTP inspection and without FTP being inspected, regarding the SYN packets I cannot see any of them when I build a filter for port 21.

The firewall is facing the Internet directly and is has a trunk beteween an ONT (fibre) and one of the firewall ports, could that have any influence on the way traffic comes in?

Outbound connections work fine.

If it comes from the WAN, I

Maykol Rojas — Tue, 24 Nov 2015 18:46:16 GMT

If it comes from the WAN, I assume that it comes from the internet, is this correct?

Now if this is true, the 192.168.10.9 should be translated to something public. That being said, the IP address on the packet tracer is wrong. It should be the public IP address of 192.168.10.9.

Do the packet tracer again using the public. If you were using the sniffers (captures) using the same IP 192.168.10.9, that would be the reason why you were not seeing any traffic.

Anything that hits the public interface, will contain a public IP no matter if we changed to this new method (post NAT acl) the packets will still arrive with a public destination IP.

Let me know how it goes.

Mike.

Hi Maykol,

Hugo Rosado — Tue, 24 Nov 2015 18:53:17 GMT

Hi Maykol,

Thanks for your response.

What I am trying to emulate is traffic coming from the outside interface (Vodafonetrunk) from a public Ip address (8.8.8.8) to the Vlan configured on my Lan (192.168.10.9) on port 21 on both ends, when traffic hits the firewall the public IP gets translated to an internal IP, as you can see from the show run.

Please let me knwo what can I try and I will put it in place.

Regards

On that packet tracer I can

Maykol Rojas — Tue, 24 Nov 2015 19:13:23 GMT

On that packet tracer I can see a NAT phase.

In order to even simulate the traffic coming from 8.8.8.8, you should translate that host 192.168.10.9 to a public IP to be accesible or redirect the ports when it hits a public IP on the Vodafone interface.

Mike.

HI Maykol,

Hugo Rosado — Tue, 24 Nov 2015 22:23:10 GMT

HI Maykol,

Thank you for your response

I think that is what I am doing at the moment with the following commands:

object network Incoming_traffic
host 192.168.10.8

nat (VodafoneTrunk,VoipIt_Production) source dynamic any Incoming_traffic destination static Synology Synology service FTP FTP

When it hits the vodafone trunk interface it translates it to an internal ip

Regards

Hi Hugo,

Rishabh Seth — Wed, 25 Nov 2015 05:00:11 GMT

Hi Hugo,

If your server is listening on port 21 behind Vodafone trunk interface and traffic will be hitting Voiplt_Production and you want to translate traffic on public IP to private generated by any host then you can create following NAT:

object network Incoming_traffic
host 192.168.10.8

nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP 21 21

If you are creating NAT for specific users who will be accessing ftp server then you can write a manual NAT.

NAT (vodavoip) source static <real-ip-of-ftp-server> <mapped -ip-of-ftp-server> service ftp ftp destination static <object-forspecific-user> <object-forspecific-user>

Hope it helps.

Thanks,

Hi Rishabh,

Hugo Rosado — Wed, 25 Nov 2015 10:48:38 GMT

Hi Rishabh,

Once again thanks for your response.

I applied the commands recommended,I left the ACL's in place, the ACL's say that any traffic hiting the VodafoneTrunk interface on port 21 will be forward to the FTP server (192.168.10.9).

The commands did not work unfortunatelly:

object network Incoming_traffic
host 192.168.10.9 - FTP server

nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP 21 21

Do I need an ACL at the end of this statement?

Regards

Hi Hugo,

Rishabh Seth — Wed, 25 Nov 2015 11:09:31 GMT

Hi Hugo,

Did you replace <publicIp> with actual public IP of the FTP server?

If you did replace it, then what do you see in the packet-tracer?

object network Incoming_traffic
host 192.168.10.9 - FTP server

nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP FTP FTP << replace <pulic IP> with public IP of the server,

Thanks,

Rishabh Seth

Hi Rishabh,

Hugo Rosado — Wed, 25 Nov 2015 11:20:59 GMT

Hi Rishabh,

Thanks for your response.

Let's say my current public IP is 1.1.1.1 and my FTP server is 192.168.10.9:

object network Incoming_traffic
host 192.168.10.9

nat (VodafoneTrunk,VoipIt_Production) static 1.1.1.1 service TCP 21 21

With these commands I cannot access my FTP server from outside.

These are the command I used on the firewall, will I need to apply any ACL's into it?

Regards

Hi Hugo,

Rishabh Seth — Wed, 25 Nov 2015 11:54:13 GMT

Hi Hugo,

You will require ACL to permit traffic for 192.168.10.9 on port 21 from outside interface.

Also check the packet-tracer output and see if this NAT rule getting evaluated or not. Check if you have any manual nat rule that might shadow this rule.

Thanks,

Rishabh Seth

Hi Rishabh,

Hugo Rosado — Wed, 25 Nov 2015 12:59:15 GMT

Hi Rishabh,

Thanks for your response, this is the commands I have applied o the asa:

1.1.1.1 = My external IP

object network Synology
host 192.168.10.9

nat (VodafoneTrunk,VoipIt_Production) static 1.1.1.1 service TCP 21 21

access-list 100 extended permit tcp any host 192.168.10.9 eq ftp

access-group 100 in interface vodafonetrunk

This is not doing the job, also shouldn't the NAT rule be the other way arround like:

nat (VoipIt_Production,VodafoneTrunk) static 1.1.1.1 service TCP 21 21

I am on IOS 9.1(5)

Regards

Is the Vodafone Trunk

Rishabh Seth — Wed, 25 Nov 2015 12:59:16 GMT

Is the Vodafone Trunk interface public facing? If yes then NAT should look like:

nat (VoipIt_Production,VodafoneTrunk) static 93.38.108.10 service TCP 21 21

I assumed that VodafoneTrunk is internal interface. Correct me if my understanding is wrong.

Thanks,

RS.

Hi Rishabh,

Hugo Rosado — Wed, 25 Nov 2015 14:08:53 GMT

Hi Rishabh,

By putting that command I am sayng that only the external IP 93.38.108.10 can FTP in, should I not put:

nat (VoipIt_Production,VodafoneTrunk) static 93.38.108.10 service TCP 21 21, and also when I do the packet tracer this is the output:

This is drivng me mad now 😞

Hi Hugo,

Rishabh Seth — Wed, 25 Nov 2015 14:17:21 GMT

Hi Hugo,

I know this is a small config and there have been many comments on this discussion, just to ensure we are on same page please provide following details:

>> Name of the interface behind which your FTP server is placed.

>> Name of the interface from where traffic will enter firewall.

>> Is the Public IP of FTP server is same as Public IP configured on ASA interface?

>> What is the IP address of the internal host?

>> Do you want to permit access to this FTP server to specific hosts or any hosts?

If you want to test packet tracer for source IP as 8.8.8.8 and destination IP as FTP server's Public IP then use:

Source IP as <IP of source> destination IP as <Public IP of FTP server.>

Thanks,

Hi Rishabh,

Hugo Rosado — Wed, 25 Nov 2015 15:11:47 GMT

Hi Rishabh,

Thanks for all your helpfull answers:

>> Name of the interface behind which your FTP server is placed - VoipIt_Production, network 192.168.10.0 range

>> Name of the interface from where traffic will enter firewall - VodafoneTrunk

>> Is the Public IP of FTP server is same as Public IP configured on ASA interface? According to the nat rules yes

>> What is the IP address of the internal host? - 192.168.10.9

>> Do you want to permit access to this FTP server to specific hosts or any hosts? Any hosts

Regards

VoipIt# packet-tracer input

Hugo Rosado — Wed, 25 Nov 2015 15:15:27 GMT

VoipIt# packet-tracer input vodafoneTrunk tcp 8.8.8.8 21 192.168.10.9 21

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.10.0 255.255.255.0 VoipIt_Production

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 VodafoneTrunk

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 100 in interface VodafoneTrunk

access-list 100 extended permit tcp any host 192.168.10.9 eq ftp

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (VoipIt_Production,VodafoneTrunk) source dynamic any interface

Additional Information:

Result:

input-interface: VodafoneTrunk

input-status: up

input-line-status: up

output-interface: VoipIt_Production

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Rishabh Seth — Wed, 25 Nov 2015 16:14:12 GMT

Hi,

You can try following manual NAT rule:

object service ftp
service tcp source eq ftp

object network Synology
host 192.168.10.9

nat (VoipIt_Production,VodafoneTrunk) 1 source static Synology interface service ftp ftp

Hope it helps!!!

Thanks,

Rishabh you are the man, many

Hugo Rosado — Wed, 25 Nov 2015 17:40:06 GMT

Rishabh you are the man, many thanks this worked perfectly.