topic Cannot access external websites that use FTP in Network Security

Cannot access external websites that use FTP

joescott4t — Tue, 12 Mar 2019 00:41:30 GMT

hello all,

I am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall. If you need more information please let me know what to post. Thanks.

Cannot access external websites that use FTP

Julio Carvajal — Thu, 27 Dec 2012 16:23:28 GMT

Hello Joe,

Can you share the configuration ?

Regards,

Julio

Re: Cannot access external websites that use FTP

joescott4t — Thu, 27 Dec 2012 17:13:54 GMT

Sure here is my config:

Current configuration : 12313 bytes

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime show-timezone

service password-encryption

hostname -2801

boot-start-marker

boot-end-marker

logging message-counter syslog

logging buffered 4096

aaa new-model

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

aaa session-id common

clock timezone est -5

clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00

dot11 syslog

ip source-route

ip dhcp excluded-address 172.19.3.129 172.19.3.149

ip dhcp excluded-address 172.19.10.1 172.19.10.253

ip dhcp excluded-address 172.19.3.140

ip dhcp excluded-address 172.19.3.133

ip dhcp ping timeout 900

ip dhcp pool DHCP

network 172.19.3.128 255.255.255.128

default-router 172.19.3.129

domain-name domain.local

netbios-name-server 172.19.3.7

option 66 ascii 172.19.3.225

dns-server 172.19.3.140 208.67.220.220 208.67.222.222

ip dhcp pool VoiceDHCP

network 172.19.10.0 255.255.255.0

default-router 172.19.10.1

dns-server 208.67.220.220 8.8.8.8

option 66 ascii 172.19.10.2

lease 2

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip domain lookup

ip domain name domain.local

multilink bundle-name authenticated

key chain key1

key 1

key-string 7 06040033484B1B484557

crypto pki trustpoint TP-self-signed-3448656681

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3448656681

revocation-check none

rsakeypair TP-self-signed-3448656681

username admin privilege 15 password

archive

log config

hidekeys

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxx address XXXXXXX

crypto isakmp key XXXXXXX address XXXXXXX

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

crypto isakmp client configuration group VPN

key XXXXXXX

dns 172.19.3.140

wins 172.19.3.140

domain domain.local

pool VPN_Pool

acl 198

crypto isakmp profile VPNClient

description VPN clients profile

match identity group VPN

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map Dynamic 5

set transform-set myset

set isakmp-profile VPNClient

qos pre-classify

crypto map VPN 10 ipsec-isakmp

set peer XXXXXXX

set transform-set myset

match address 101

qos pre-classify

crypto map VPN 20 ipsec-isakmp

! Incomplete

set peer XXXXXXX

set transform-set myset

match address 103

crypto map VPN 65535 ipsec-isakmp dynamic Dynamic

track 123 ip sla 1 reachability

delay down 15 up 10

class-map match-any VoiceTraffic

match protocol rtp audio

match protocol h323

match protocol rtcp

match access-group name VOIP

match protocol sip

class-map match-any RDP

match access-group 199

policy-map QOS

class VoiceTraffic

bandwidth 512

class RDP

bandwidth 768

policy-map MainQOS

class class-default

shape average 1500000

service-policy QOS

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address 172.19.3.129 255.255.255.128

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet0/0.10

description $ETH-VoiceVLAN$$

encapsulation dot1Q 10

ip address 172.19.10.1 255.255.255.0

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

interface FastEthernet0/1

description "Comcast"

ip address Public IP 255.255.255.248

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

interface Serial0/1/0

description "Verizon LEC Site ID"

bandwidth 1536

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

interface Serial0/1/0.1 point-to-point

bandwidth 1536

ip address XXXXXXX 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF

crypto map VPN

service-policy output MainQOS

interface Serial0/2/0

description "Verizon ID) "

ip address XXXXXXX 255.255.255.252

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map VPN

service-policy output MainQOS

ip local pool VPN_Pool 172.20.3.130 172.20.3.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXXXXXX track 123

ip route 0.0.0.0 0.0.0.0 XXXXXXX 254

ip route 107.0.197.20 255.255.255.255 XXXXXXX

ip route 208.67.220.220 255.255.255.255 XXXXXXX

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 20

sort-by bytes

ip nat inside source route-map COMCAST interface FastEthernet0/1 overload

ip nat inside source route-map PAE interface Serial0/2/0 overload

ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload

ip nat inside source static 172.19.3.133 12.12.12.12

ip access-list extended VOIP

permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190

permit ip host 172.19.3.190 172.20.3.0 0.0.0.127

ip radius source-interface FastEthernet0/0

ip sla 1

icmp-echo 208.67.220.220 source-interface FastEthernet0/1

timeout 10000

frequency 15

ip sla schedule 1 life forever start-time now

access-list 23 permit 172.19.3.0 0.0.0.127

access-list 23 permit 172.19.3.128 0.0.0.127

access-list 23 permit 173.189.251.192 0.0.0.63

access-list 23 permit 107.0.197.0 0.0.0.63

access-list 23 permit 173.163.157.32 0.0.0.15

access-list 23 permit 72.55.33.0 0.0.0.255

access-list 23 permit 172.19.5.0 0.0.0.63

access-list 100 remark "Outgoing Traffic"

access-list 100 remark CCP_ACL Category=17

access-list 100 deny ip 67.128.87.156 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit tcp host 172.19.3.190 any eq smtp

access-list 100 permit tcp host 172.19.3.137 any eq smtp

access-list 100 permit tcp any host 66.251.35.131 eq smtp

access-list 100 permit tcp any host 173.201.193.101 eq smtp

access-list 100 permit tcp any any eq ftp

access-list 100 permit ip any any

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.5.64

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 102 remark CCP_ACL Category=17

access-list 102 permit ip any host 12.12.12.12

access-list 102 remark "Inbound Access"

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit udp any host XXXXXXX eq isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 permit udp any host Public IP eq non500-isakmp

access-list 102 permit udp any host Public IP eq isakmp

access-list 102 permit esp any host Public IP

access-list 102 permit ahp any host Public IP

access-list 102 permit ip 72.55.33.0 0.0.0.255 any

access-list 102 permit ip 107.0.197.0 0.0.0.63 any

access-list 102 deny ip 172.19.3.128 0.0.0.127 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 remark ftp

access-list 102 permit tcp any any eq ftp

access-list 102 remark FTP Data

access-list 102 permit tcp any any eq ftp-data

access-list 102 permit icmp any any

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit udp any host XXXXXXX eq isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 deny ip any any log

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.0 0.0.0.63

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

access-list 110 permit ip 172.19.10.0 0.0.0.255 any

access-list 198 remark "Networks for VPN Client"

access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127

access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 199 permit tcp any any eq 3389

route-map PAE permit 10

match ip address 110

match interface Serial0/2/0

route-map COMCAST permit 10

match ip address 110

match interface FastEthernet0/1

route-map VERIZON permit 10

match ip address 110

match interface Serial0/1/0.1

snmp-server community RO

radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 060506324F411F090B464058

control-plane

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

ntp server 128.118.25.3

ntp server 217.150.242.8

end

-2801#exit

Cannot access external websites that use FTP

Julio Carvajal — Thu, 27 Dec 2012 17:51:03 GMT

Hello Joe,

Okay, you do are inspecting FTP ( that is good)

Now do the following

config te

ip inspect log drop-pkt

Then try to download those files and after you get the error inmediatly do the following
show logging | include x.x.x.x

Where the x.x.x.x is the ip address of the website you are trying to access

This will let us know if the firewall is dropping those connections

Regards,

Julio

Cannot access external websites that use FTP

joescott4t — Thu, 27 Dec 2012 18:03:35 GMT

well i tried that but the show logging | clude returned nothing. I thought that firewall was already configured to allow ftp connections.

Cannot access external websites that use FTP

Julio Carvajal — Thu, 27 Dec 2012 18:07:54 GMT

Hello Joe,

That is the point,

The firewall is already configured to allow that so it looks something else is denying the connection as the firewall is not retrieving anything.

Can you remove the access-group and the inspect rules in order to test it?

Regards

Cannot access external websites that use FTP

joescott4t — Thu, 27 Dec 2012 18:15:26 GMT

The router is live and I dont want mess anything up my cisco skills are are green.

Cannot access external websites that use FTP

Julio Carvajal — Thu, 27 Dec 2012 18:19:58 GMT

Hello Joe,

Got it but right now based on what you have asked and provided I can tell you does not look like a CBAC issue ( to be sure we should take it out but as you cannot do that this ends right there )

My other suggestion is from an internal PC can you run wireshark while trying to donwload those files and show us what you see on the capture

Regards

Cannot access external websites that use FTP

joescott4t — Thu, 27 Dec 2012 18:25:23 GMT

I can do the wireshark and report back

Cannot access external websites that use FTP

joescott4t — Thu, 27 Dec 2012 20:11:46 GMT

ok i was able to remove all the access-group lists, and try but its still not working this is very strange.

Cannot access external websites that use FTP

Julio Carvajal — Thu, 27 Dec 2012 20:14:51 GMT

Hello Joe,

Yeah, Looks like something else is blocking this,

Can you get the wireshark capture

Cannot access external websites that use FTP

joescott4t — Thu, 27 Dec 2012 20:23:07 GMT

Im having trouble with that. I think I my need to adjust my filtering options in wireshark

Cannot access external websites that use FTP

Julio Carvajal — Thu, 27 Dec 2012 20:27:12 GMT

tcp.port==21

Cannot access external websites that use FTP

joescott4t — Fri, 11 Jan 2013 17:40:11 GMT

Still not finding anything. Its something withing the router but I just cant figure out what it is. I looked through wireshark and saw no errors.