topic Re: Configuring an FTP Server behind Cisco in Network Security

Configuring an FTP Server behind Cisco

briankrontz — Mon, 11 Mar 2019 13:23:44 GMT

I'm trying to configure Serv-U to run in passive mode behind a Cisco ASA 5505. What is the proper way to do this?

Re: Configuring an FTP Server behind Cisco

elparis — Thu, 31 Jul 2008 20:04:11 GMT

A static NAT entry to reach the FTP server, "inspect ftp" in the policy-map, and allow access to the FTP server in the access list is all you should need.

static (inside,outside)

access-list outside_in permit tcp any host eq ftp

access-group outside_in in interface outside

...

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

...

service-policy global_policy global

Can also be done if using PAT instead of NAT. Just change the ACL and the static to use the interface:

access-list outside_in permit tcp any interface outside eq ftp

static (inside,outside) tcp interface ftp

Hope this helps.

Cheers,

Eloy Paris.-

Re: Configuring an FTP Server behind Cisco

briankrontz — Thu, 31 Jul 2008 20:45:44 GMT

I'm concerned about the passive part of my request. Can you expand on how that will work?

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea?

Re: Configuring an FTP Server behind Cisco

cisco24x7 — Thu, 31 Jul 2008 21:01:51 GMT

Let understand this:

1- Pix/ASA can NOT allow ONLY passive FTP through the firewall

if there is NAT involved. This is NOT possible.

For example, if you have Linux vsftpd running behind the firewall

serving both Active/Passive. Let say that your objective

is to allow both Active and Passive FTP for users on the inside

network; however, you want the firewall to allow ONLY passive

ftp from users from the outside (i.e. Internet).

Let say the IP address of the Linux vsFTPd server is 192.168.1.1.

Let say that this server is NAT'ed to 1.1.1.1 by the pix firewall:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

In this scenario, Pix can NOT do this. In this scenario, you have

NO choice but to enable "fixup protocol ftp 21". If you turn

OFF ftp inspection, nothing will work.

For situation like this, you need firewalls other than Cisco.

Re: Configuring an FTP Server behind Cisco

elparis — Thu, 31 Jul 2008 21:12:29 GMT

Of course; nobody is saying that fixup protocol ftp 21 (or inspect ftp in newer PIX code) is not necessary. Without the firewall doing deep packet inspection of FTP traffic dynamic holes can't be opened in the access list for return traffic so nothing will work.

I am actually don't fully understand what you are saying: on the one hand you say that it is not possible but if you turn on fixup that it will. On the other hand you are saying that you may need firewalls other than Cisco, which I guess means you think it will not work. So I am puzzled.

Any firewall needs to inspect the FTP control connection to be able to determine what hole to poke on the access list. What is it that you say other firewalls do different than Cisco's?

Cheers,

Eloy Paris.-

Re: Configuring an FTP Server behind Cisco

cisco24x7 — Thu, 31 Jul 2008 22:48:06 GMT

This is what I understand:

Linux_FTP_server---(i)--Pix--(o)---FTP_client

FTP server is serving both Active/Passive FTP.

FTP server is 192.168.1.10/24. Pix inside IP

is 192.168.1.1/24. Pix outside ip address is

1.1.1.1/24. FTP_client is 1.1.1.2/24. FTP_client

connects to FTP server via ip address of 1.1.1.10.

Requirements:

Allow ONLY Passive FTP through the Pix firwewall.

Active FTP will NOT be allowed through the Pix

firewall. In other words, Active FTP connection

will be dropped by the Pix firewall.

static (i,o) 1.1.1.10 192.168.1.10 netmask 255.255.255.255

access-list External permit ip any any log

access-group External in interface outside

Pix/ASA can NOT do this.

Other firewalls vendors such as Checkpoint have the capability

to allow ONLY passive FTP through the firewall with NAT. I

think Netscreen can do this too but I can't confirm because

I have not touched Netscreen in eight months.

Make sense?

Re: Configuring an FTP Server behind Cisco

briankrontz — Fri, 01 Aug 2008 00:39:18 GMT

My objective is to allow both Active and Passive SSH/SSL/HTTPS FTP to make it easier on my non-technical ftp clients. Thoughts on that? Would I need to do the "fixup"? I'm not sure what that is. I'm a Juniper GUI guy, sorry.

Rhinosoft, the maker of Serv-U, says that the reason I can only connect with Active is due to a misconfigured Cisco ASA 5505 sitting in front of it.

I have my IP and ports routed correctly as far as I can tell:

access-list INBOUND extended permit tcp any host x.x.x.35 eq 3389

access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp

access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp-data

access-list INBOUND extended permit tcp any host x.x.x.35 eq https

access-list INBOUND extended permit tcp any host x.x.x.35 eq ssh

access-list INBOUND extended permit tcp any host x.x.x.35 eq 990

access-list INBOUND extended permit tcp any host x.x.x.35 range 2000 2020

access-list INBOUND extended permit tcp any host x.x.x.35 range 50000 50020

The last two entries are passive port ranges I tried to plug into the software, but they didn't give me any luck.

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?

Re: Configuring an FTP Server behind Cisco

cisco24x7 — Fri, 01 Aug 2008 01:21:37 GMT

The problem with the ASA is that fixup is

enabled by default. Therefore, once you

allow FTP, both active/passive will be

allowed. In a NAT environment, you can not

stop Active only or passive only FTP. You

either have to allow both or deny both.

I don't know if you understand how Active

and Passive works. In Active mode, the ftp

server initiates a connection back to the

client sourcing from port 20 to client random

high-ports. This is a security risk to the

client. In Passive mode, the client

initiates a connection from it's high ports

to a server random high-ports. this will

put the server at risk because he has

to allow random high-ports on the server.

That's why in vsftpd or even Microsoft IIS,

you minimize the risk by narrowing the

port-ranges in Passive mode.

The workaround for all this is Secure Copy

Protocol (SCP) or SecureFTP. both of these

run on top of SSH which is very secure.

don't need to worry about FTP craps.

Re: Configuring an FTP Server behind Cisco

elparis — Fri, 01 Aug 2008 01:33:39 GMT

cisco24x7,

> The problem with the ASA is that fixup is

> enabled by default.

That's actually a positive thing, in my opinion, but if it bothers anyone, or violates the organization's security policy, it can obviously be disabled.

> Therefore, once you

> allow FTP, both active/passive will be

> allowed.

He already said that he wants to allow both active and passive so this shouldn't be a problem.

> In a NAT environment, you can not

> stop Active only or passive only FTP. You

> either have to allow both or deny both.

Not necessarily - you can do the following:

access-list inside_in deny tcp any any eq 20

access-list inside_in permit ip any any

access-group inside_in in interface inside

and this will prevent active FTP from working but passive FTP will still work.

This is not a problem for him, though, since he said that he wants both active and passive FTP. But anyone concerned about allowing active FTP can apply this simple workaround to kill active FTP.

Cheers,

Eloy Paris.-

Re: Configuring an FTP Server behind Cisco

briankrontz — Fri, 01 Aug 2008 01:36:11 GMT

I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose. I'll include my whole config below so that you can maybe explain where I need to make changes.

Re: Configuring an FTP Server behind Cisco

elparis — Fri, 01 Aug 2008 01:37:01 GMT

Sorry, the deny above is obviously wrong. Should be:

access-list inside_in deny tcp any eq 20 any

(idea is obviously to prevent the FTP server to establish the outgoing connection from port 20 to the FTP client on the outside.)

Re: Configuring an FTP Server behind Cisco

briankrontz — Fri, 01 Aug 2008 01:37:58 GMT

interface Vlan1

nameif inside

security-level 100

ip address 192.168.61.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 38.x.x.34 255.255.255.252

interface Ethernet0/0

switchport access vlan 2

ftp mode passive

dns server-group DefaultDNS

domain-name domainname1.com

access-list nonat extended permit ip any 172.16.0.0 255.240.0.0

access-list nonat extended permit ip any 192.168.0.0 255.255.0.0

access-list nonat extended permit ip any 10.0.0.0 255.0.0.0

access-list domainname2 extended permit ip 192.168.61.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list INBOUND extended permit tcp any host 38.x.x.35 eq 3389

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp-data

access-list INBOUND extended permit tcp any host 38.x.x.35 eq https

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ssh

access-list INBOUND extended permit tcp any host 38.x.x.35 eq 990

access-list INBOUND extended permit tcp any host 38.x.x.35 range 2000 2020

access-list INBOUND extended permit tcp any host 38.x.x.35 range 50000 50020

access-list INBOUND extended permit icmp any any

access-list OUTBOUND extended deny tcp any any eq 6346

access-list OUTBOUND extended deny tcp any any eq 6347

access-list OUTBOUND extended deny udp any any eq 6346

access-list OUTBOUND extended deny udp any any eq 6347

access-list OUTBOUND extended permit ip any any

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.31.0.0 255.255.0.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.68.0 255.255.254.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.30.103.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.180.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255

static (inside,outside) 38.x.x.35 192.168.61.248 netmask 255.255.255.255

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 38.x.x.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

prompt hostname context

Re: Configuring an FTP Server behind Cisco

elparis — Fri, 01 Aug 2008 01:55:14 GMT

The configuration looks *almost* good:

static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255

This line doesn't make sense - you are NATing 192.168.61.200 to the same IP address of the outside interface of the ASA. That shouldn't be but I don't see why it would affect the problem with FTP not working.

Is the FTP server at 192.168.61.248?

You should turn on logging to see what is going on.

Cheers,

Eloy Paris.-

Re: Configuring an FTP Server behind Cisco

cisco24x7 — Fri, 01 Aug 2008 01:58:40 GMT

Eloy Paris,

>Not necessarily - you can do the following:

>access-list inside_in deny tcp any eq 20 any

>access-list inside_in permit ip any any

>access-group inside_in in interface inside

>and this will prevent active FTP from >working but passive FTP will still work.

Is this something you've tested and verified

that it works or is it just an "educated"

guess on your part?

When you enable "fixup protocol ftp 21" or

ftp inspection, the ACL "access-list inside_in deny tcp any any eq 20" will become

useless when there is NAT.

However, what you stated above is true if

there is NO NAT involved. Again, the minute

you enable "fixup protocol ftp 21" that ACL will be bypassed.

An analogy to this is like the command

"sysopt connection permit-ipsec" will bypass

the ACL line applying to the outside interface regarding IPSec.

Re: Configuring an FTP Server behind Cisco

elparis — Fri, 01 Aug 2008 16:41:52 GMT

cisco24x7,

> Is this something you've tested and verified

> that it works or is it just an "educated"

> guess on your part?

It was an "educated" guess on my part, but what you said got me thinking and I'm embarrased to say that the guess wasn't so "educated" and you were right and I was wrong...

> When you enable "fixup protocol ftp 21" or

> ftp inspection, the ACL "access-list

> inside_in deny tcp any any eq 20"

> will become useless when there is NAT.

You are absolutely correct in that as soon as you enable fixup protocol ftp, the ACL becomes useless because as soon as the PIX sees in the FTP control session that a session for data is being created it will create a connection for that session. The session will contain all the endpoit information (port 20 of the server to port > 1024 of the client.) Because when a connection is already built in the PIX ACLs are not checked, then as you so eloquently pointed out, the "deny tcp eq 20 any" will not block the data connection.

My apologies for mudding the waters here; you were right.

The only part that I still don't follow is why you keep mentioning NAT. One thing is access control (handled by ACLs and protocol fixups) and another NAT. Why do you throw NAT into the mix? Even if we were using nat 0 (no NAT) or identity NAT, things should still work as we've discussed. Are you saying that things will work different when using nat 0 or identity NAT?

Cheers,

Eloy Paris.-

Re: Configuring an FTP Server behind Cisco

cisco24x7 — Fri, 01 Aug 2008 17:43:19 GMT

FTP_Server---(i)--Pix---(o)----FTP_client

FTP_Server= 192.168.1.10/24

Pix inside= 192.168.1.1/24

Pix outside= 1.1.1.1/24

FTP_client= 1.1.1.2/4

FTP_client has default gateway point to 1.1.1.1 which

is the Pix outside interface.

Let say that you're NOT doing any NAT on the Pix, just

simply route through the Pix:

no nat-control

Requirements:

Allow only Passive FTP through the firewall.

In this situation, it definitely works with this configuration:

no fixup protocol ftp 21

access-list External permit tcp any host 192.168.1.10 eq 21 log

access-list External permit tcp any host 192.168.1.10 gt 1024 log

access-list Internal deny tcp host 192.168.1.10 eq 20 any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

When you disable NAT on the Pix and just route through the Pix,

you can control the Active/Passive FTP through the firewall.

However, as soon as you enable "fixup protocol ftp 21", you will

will not be able to control Active/Passive FTP. As a matter

of fact, when you have NAT enable, if you disable fixup, FTP will

fail to work altogether.

Is that clear?

Re: Configuring an FTP Server behind Cisco

briankrontz — Fri, 01 Aug 2008 18:13:21 GMT

I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose.

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?

Re: Configuring an FTP Server behind Cisco

elparis — Fri, 01 Aug 2008 18:38:31 GMT

> In this situation, it definitely works with

> this configuration:

> no fixup protocol ftp 21

[...]

Of course, you are disabling the fixup but are manually poling holes in the access lists. This is for sure a valid workaround but is not secure because now the FTP server is not protected on ports > 1024.

> When you disable NAT on the Pix and just

> route through the Pix,

> you can control the Active/Passive FTP

> through the firewall.

I assert that you can do this with NAT enabled. The key is disabling the FTP fixup and manually poking holes in the firewall.

> However, as soon as you enable

> "fixup protocol ftp 21", you will

> will not be able to control

> Active/Passive FTP.

Correct, because then the fixup will automatically create the necessary connection, therefore bypassing any access list entries one may have created to control active/passive FTP.

> As a matter

> of fact, when you have NAT enable, if you

> disable fixup, FTP willfail to work

> altogether.

This is the part where I still don't follow - when you have NAT enabled or when you have NAT disabled, FTP will fail to work when you disable the fixup. You need the fixup for FTP to work, with NAT or no NAT, if you don't want to manually poke holes in the access lists. Why do you say that NAT has an influence on whether the fixup works?

Using the same question you posed to me earlier - did you test that disabling/enabling NAT has any effect on whether you can control Active/Passive FTP through the firewall, or it is just an educated guess? 😉

Cheers,

Eloy Paris.-

Re: Configuring an FTP Server behind Cisco

elparis — Fri, 01 Aug 2008 18:48:03 GMT

Did you remove the static command I mentioned yesterday didn't look right since it was using as the global IP the same IP of the outside interface?

What is the private (inside) and public (outside) IP of the FTP server?

I didn't see anything wrong other than the static but can you post your configuration again?

Re: Configuring an FTP Server behind Cisco

cisco24x7 — Fri, 01 Aug 2008 18:54:39 GMT

>I assert that you can do this with NAT enabled. The key is disabling the FTP fixup and manually poking holes in the firewall.

This is NOT true. You do not have to take

my words for it. Just ask your colleagues

at Cisco Systems and they can explain it

to you better than I can.

>This is the part where I still don't follow - "when you have NAT enabled or when you have NAT disabled, FTP will fail to work when you disable the fixup. You need the fixup for FTP to work, with NAT or no NAT, if you don't want to manually poke holes in the access lists. Why do you say that NAT has an influence on whether the fixup works?

I don't tell people things that I've not tried

and tested it myself. In other words, I

tested this myself and that's what I observed.

If you ask Cisco TAC, they will tell you the

same thing I am telling you.