topic Re: passive FTP doesn't work with CBAC in Network Security

passive FTP doesn't work with CBAC

tato386 — Mon, 11 Mar 2019 18:21:30 GMT

I have setup an inbound ACL on the outside interface of my router that allows TCP ports 20 and 21 in and I have a CBAC inspect map with FTP specified on the same interface in an outbound direction. My understanding is that the inspect will check all outbound traffic and dynamically fix the inbound ACL for the client/serve negotiated ports. I have active FTP clients like the command line Windows ftp work, but passive clients like a browser do not.

If I uncheck passive mode on my browser it works further confirming that active FTP works. Ironically, the browser active/passive option says that passive mode is for firewall compatibility!

Any ideas on this? I would really like both to work because I frequently use the command line ftp and most others prefer the browser.

Thanks,

Diego

Re: passive FTP doesn't work with CBAC

Jitendriya Athavale — Thu, 05 Aug 2010 13:29:11 GMT

hi diego

where is the client and where is the server, i mean with respect to firewall which is on inside and which is on internet

Re: passive FTP doesn't work with CBAC

tato386 — Thu, 05 Aug 2010 14:34:01 GMT

The ftp server is behind the firewall on the private and protected network. Clients are hitting the ftp server from the public Internet.

Thanks,

Diego

Re: passive FTP doesn't work with CBAC

Jitendriya Athavale — Thu, 05 Aug 2010 14:48:55 GMT

if your active connection are working and passive are not working i can think of only one thing and that is inspect ftp

please make sure that inspect ftp is before inspect tcp other inspect ftp will never work

so this is how it should be

ip inspect name FW ftp

ip inspect name FW tcp

but not the other way

Re: passive FTP doesn't work with CBAC

tato386 — Thu, 05 Aug 2010 15:23:07 GMT

Unfortunately, I do have the ftp inspect first. Here is what I have:

ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall tftp
ip inspect name firewall https
ip inspect name firewall icmp
ip inspect name firewall imap
ip inspect name firewall pop3
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall skinny
ip inspect name firewall sip

I took some packet debugs and I can see where the packet is denied when the client begins sending to the negotiated high port. In the debug when the client sends to the servers TCP port 16787 the packet is denied. So it seems like CBAC is not dynamically openning the negotiated ports as it should. I have attached the packet debug if you care to look at it. Maybe I will open a case with the TAC.

Thanks,

Diego

Re: passive FTP doesn't work with CBAC

Jitendriya Athavale — Thu, 05 Aug 2010 15:40:39 GMT

please put this command and see the logs and paste them here

ip inspect log drop-packet

also just to confirm taht it is the firewall remove the access-group from the outside interafce so taht you permit everything inside

Re: passive FTP doesn't work with CBAC

tato386 — Thu, 05 Aug 2010 16:57:57 GMT

The ip inspect log drop-pkt does not show any packets being dropped. However when I removed the ACL it worked like a champ. So we know it is the ACL but I don't think it is a good idea to open up all the high ports. It just seems that CBAC is not opening up the ports as it should. I would think maybe a bug but I am running a fairly up to date IOS of 12.4(20)T4.

Any ideas?

Thanks,

Diego

Re: passive FTP doesn't work with CBAC

e.pedersen — Thu, 05 Aug 2010 17:40:10 GMT

Can you share with us your interfaces (inside/outside) config, also ACL and cbac config, if you agreed with this, please use examples IP address on your post.

Re: passive FTP doesn't work with CBAC

tato386 — Thu, 05 Aug 2010 18:32:08 GMT

Here is the ACL and interface config. Also the packet debug of the failure.

Thanks for all your help.

diego

Re: passive FTP doesn't work with CBAC

Jitendriya Athavale — Thu, 05 Aug 2010 18:34:05 GMT

i know you have already done this and some of my below steps might sound very stupid... but try them they have worked for me

try one more small thing

open only port 20 with your access-list

this should allow passive ftp

if this works then it is the inspection thats not working

trying removing inspection ftp and reapplying

Re: passive FTP doesn't work with CBAC

tato386 — Thu, 05 Aug 2010 18:39:30 GMT

Not sure I follow you here. I have currently have both 20 and 21 open. Active is working and passive is not. So you want me to remove 21 and recheck passive?

I will also try removing and reapplyting the inspect command.

Diego

Re: passive FTP doesn't work with CBAC

Diego Armando Cambronero Arias — Thu, 05 Aug 2010 21:26:44 GMT

Just for testing pursoses. Have you tried to open all IP traffic for that server. Just do it, try it and then close all IP. If it works then we know the problem is with the FTP Inspection.

Re: passive FTP doesn't work with CBAC

tato386 — Thu, 05 Aug 2010 21:39:16 GMT

Hi Diego,

We have tried that and it works OK. At this point I am well satisfied that it is the inspection. Now I need to find out if I am doing something wrong, or maybe missing something or maybe just a bug.

Thanks for your input.

Diego

Re: passive FTP doesn't work with CBAC

Diego Armando Cambronero Arias — Thu, 05 Aug 2010 21:56:41 GMT

Diego,

All CBAC is a Bug. Change to ZOne-Based that is easier to manage and do a better work

Re: passive FTP doesn't work with CBAC

tato386 — Fri, 06 Aug 2010 03:31:03 GMT

Never heard of zone-based. Is that available on IOS routers?

diego

Re: passive FTP doesn't work with CBAC

Jitendriya Athavale — Fri, 06 Aug 2010 05:18:41 GMT

it is supported on IOS

well it is recommended u go thr only if you see that cbac is unable to achieve what you want

it provides more flexibility

in any case, for your query we seem to have isolated the issue that inspect ftp is broken, i have seen a lot of bugs related to broken inspect for L7

you can go to zone-based-firewall but let me advise you that it is also unpredictable at times as far as features are concerned. when it works it works like magic but when something is boken it get really tough to isolate

to resolve your issue, i think its worth a try to go to 15.0 code which is latest, i would suggest even if you go to zone-based firewall use this code

Re: passive FTP doesn't work with CBAC

e.pedersen — Fri, 06 Aug 2010 07:50:17 GMT

Diego,

I looked at your config, and it seems to be fine. Also I tried something similiar in a lab enviroment and it worked.

If you want to know more about zone based firewall, here is a link whit the configuration guide:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Re: passive FTP doesn't work with CBAC

tato386 — Fri, 06 Aug 2010 11:30:13 GMT

One more question before I try the zone bases approach. What type of ftp server did you test with? I did a test with a 2nd router runing a slightly older IOS and got the same results. In both my cases the ftp server being protected was a Windows server. Maybe CBAC and Windows ftp don't get along?

Diego

Re: passive FTP doesn't work with CBAC

e.pedersen — Fri, 06 Aug 2010 15:43:30 GMT

Please read your PM

Re: passive FTP doesn't work with CBAC

Kureli Sankar — Sat, 07 Aug 2010 02:34:07 GMT

Is this issue resolved?

interface FastEthernet0/0
description public IP
ip address 72.17.151.190 255.255.255.224
ip access-group 101 in
ip nat outside
ip inspect firewall out

ip inspect firewall in ------------------------> Pls. add this line as well.

for ftp traffic the user id and password goes over the control channel using tcp 21.You need to allow this via ACL. Inspection will take care of opening the data channel.

For active ftp the server sends the data using the source port tcp 20. Client sends the port command.

In case of passive ftp the server sends the port command and the client connects back to the high port >1024 to receive data.

http://slacksite.com/other/ftp.html#actexample

-KS