topic Re: Connection problem with firewall in Network Security

Connection problem with firewall

suthomas1 — Mon, 11 Mar 2019 15:38:33 GMT

I am having problems with ftp to my server.

Client IP:10.0.1.2

Server IP : 10.35.20.1

It says connection timeout & when telnet is done on 21,gives connect to port 21 failed. ftp seems to be open locally on server as when i try a ftp from another server locally, it prompts for login.

Below are logs on my firewall for this connection.

10.0.1.2 1667 10.35.20.1 21 Teardown TCP connection 12379739847839711173 for AppZone:10.0.1.2 1667 to ftp_app:10.35.20.1/21 duration 0:00:20 bytes 66 SYN Timeout

Please suggest what could be the cause.Any issues with firewall?

Also how to determine from this output if this ftp is on passive or active mode?

Thanks.

Re: Connection problem with firewall

John Blakley — Tue, 02 Jun 2009 12:54:45 GMT

Are you ftp'ing from the outside of your firewall, or are you trying to ftp from inside to outside? Can you post your config?

HTH,

John

Re: Connection problem with firewall

suthomas1 — Tue, 02 Jun 2009 13:43:57 GMT

These are on firewall module & ftp is tried from outside to inside,or to be clear server is on security level 0 & client is on 100.

access-list AppZone_list_in permit tcp host 10.0.1.2 host 10.35.20.1 eq 21

this is applied inbound on AppZone.

Counts on rule can be seen when this is tried.

Thanks.

Re: Connection problem with firewall

jj27 — Tue, 02 Jun 2009 13:49:22 GMT

SYN timeouts are usually related to routing problems. Make sure your firewall has a route to get to your network the clients are on. Also make sure that your internal network has a route back to the firewall for that network.

Re: Connection problem with firewall

suthomas1 — Tue, 02 Jun 2009 14:08:49 GMT

Routing looks right for both ways.i can ping both server/client from the firewall.

Tks.

Re: Connection problem with firewall

jj27 — Tue, 02 Jun 2009 14:33:44 GMT

Ok, the firewall can ping the server and the client, that is fine.

Can the SERVER get back to the CLIENT?

Your firewall is incrementing the access list, so the connection is coming inbound, leaving the firewall then passing it in to your server. What is happening is the firewall is never receiving a response from the server back to the client so you get the SYN timeout. The problem is probably due to internal routing (from your server network to the client network of 10.0.1.0)

Re: Connection problem with firewall

suthomas1 — Tue, 02 Jun 2009 14:38:49 GMT

You mean the server route table ?

if so, i am also suspecting this,but just needed some expert inputs or some other possible causes from gurus here.

Tks

Re: Connection problem with firewall

jj27 — Tue, 02 Jun 2009 14:49:29 GMT

What kind of server is it? Is it a Windows box running FTP? Is it Linux based?

It could be an issue with the default gateway of the server or the routing table. It could be an issue with the routing on your default gateway to know how to get to the external network of your client 10.1.0.0/?

Re: Connection problem with firewall

suthomas1 — Tue, 02 Jun 2009 14:53:18 GMT

Its a windows box.One query here, if the server doesnt find proper route path back to client, won't it take its default gateway and try reach the client & shouldn't this work for the connection to reach atleast firewall thus responding with syn-ack.

or is a more specific path required?

Thanks.

Re: Connection problem with firewall

John Blakley — Tue, 02 Jun 2009 14:57:13 GMT

access-list AppZone_list_in permit tcp host 10.0.1.2 host 10.35.20.1 eq 21

this is applied inbound on AppZone.

Is this applied on the outside interface or the inside interface (0 or 100). If it's applied on the inside interface, do you have an acl that's applied to the outside interface? If you have an acl on the outside interface, try adding port 20 to that acl. Active FTP connections make a connection to port 21, but the server tries to connect back to the client on port 20, and this could be the cause of your timeouts.

HTH,

John

Re: Connection problem with firewall

John Blakley — Tue, 02 Jun 2009 14:59:43 GMT

Oh, another thing, I've never worked with the FWSM, but in PIX/ASA you can use fixup commands to fix things like this:

fixup protocol ftp 21

This could solve all of your problems instead of going through everything else you've done. 😃

HTH,

John

Re: Connection problem with firewall

suthomas1 — Tue, 02 Jun 2009 15:05:03 GMT

Its applied on outside(level 0).Anyway to know from this output if its active or passive?

for active as i know, server would give port 20 to client & try connecting back to random port >1023 which client had given during the second phase.

I may be wrong,please correct if so.

Thanks.

Re: Connection problem with firewall

John Blakley — Tue, 02 Jun 2009 15:40:54 GMT

You're correct. Do you have any statics configured for this connection?

Re: Connection problem with firewall

suthomas1 — Tue, 02 Jun 2009 23:33:41 GMT

No statics for this connection.

Re: Connection problem with firewall

Kureli Sankar — Wed, 03 Jun 2009 00:41:53 GMT

10.0.1.2 1667 10.35.20.1 21 Teardown TCP connection 12379739847839711173 for AppZone:10.0.1.2 1667 to ftp_app:10.35.20.1/21 duration 0:00:20 bytes 66 SYN Timeout

This means that the server on the outside did not respond to they SYNs sent from the client.

jjohnston1127 asked the right question.

Does the client have a route to the server network? I think it does or we wouldn't see the syn arrive on the firewall.

Does the server have a route back to the client network?

Just because the FWSM can ping both the client and the server, it doesn't mean server and the client can get to each other.

Make sure the server and the client can ping each other.

What code is the FWSM running?

If it is 2.x then you should have

fixup protocol ftp 21

If it is 3.x and above you should have

inspect ftp configured under policy-map

It doesn't look like that is the problem. It looks like the server does not have a route back to the client's IP. Pls. check the gateway that the server is pointing to and make sure it has a route back to the client network

otherwise, just add a static route on the windows server such that it will reach the FWSM ftp_app interface in order to get to 10.0.1.2

route add 10.0.1.2

and give that a shot.

Wireshark capture on the server may be a good idea to see where it is sending the syn ack (as to which mac address)

Let us know how that goes.

Re: Connection problem with firewall

suthomas1 — Thu, 04 Jun 2009 02:16:32 GMT

Thanks to all, problem was with server ip configuration.

Btw, a question since we were talking of sniffing traffic, is there any link or guide to get know how about the different

outputs given by different sniffers or the common ones like wireshark.

Thanks.

Re: Connection problem with firewall

Kureli Sankar — Thu, 04 Jun 2009 02:28:23 GMT

Very glad to hear that the problem was on the server end just as we suspected...

http://wiki.wireshark.org/SampleCaptures

I hope the above link will help you.