topic FTP ACL Connection issue in Network Security

FTP ACL Connection issue

The.Sorrow — Fri, 21 Feb 2020 12:48:29 GMT

I have an issue with ACLs I have FTP forwarded via PAT to an internal server on my edge router. I have a rather extensive ACL that denies spider servers and certain ranges i know to be spammers. The issue lies in FTP. When the ACL is applied to my outside interface (fa0/1) i cannot successfully connect via FTP. When i drop the access-group, i can connect to FTP a-okay. When the ACL is applied all my other services work as well (http over port 1337, ssh, PPTP, IRC and teamspeak - UDP 9987). Here is my config. Any assistance will be greatfully appreciated:

Building configuration...

Current configuration : 6674 bytes

! Last configuration change at 11:07:17 PST Sun Dec 30 2012 by admin

! NVRAM config last updated at 19:12:53 PST Sun Dec 30 2012 by admin

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R1

boot-start-marker

boot-end-marker

enable secret 5 *************************************

no aaa new-model

clock timezone PST -8

clock summer-time CDT recurring

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

ip domain name **********.net

ip name-server 4.2.2.2

ip inspect log drop-pkt

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

username admin secret 5 *************************************

interface FastEthernet0/0

description Port to Core Switch

ip address 172.16.0.254 255.255.255.252

ip nat inside

no ip virtual-reassembly

speed 100

full-duplex

interface FastEthernet0/1

description Port to Internet

ip address dhcp

ip access-group WANACL in

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

router ospf 100

log-adjacency-changes

passive-interface FastEthernet0/1

network 172.16.0.252 0.0.0.3 area 0

default-information originate

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.50.0.250 1723 interface FastEthernet0/1 1723

ip nat inside source static tcp 10.20.0.200 22 interface FastEthernet0/1 22

ip nat inside source static tcp 10.20.0.100 6667 interface FastEthernet0/1 6667

ip nat inside source static tcp 10.20.0.200 80 interface FastEthernet0/1 1337

ip nat inside source static udp 10.20.0.100 9987 interface FastEthernet0/1 9987

ip nat inside source static tcp 10.20.0.250 21 interface FastEthernet0/1 21

ip nat inside source static tcp 10.20.0.250 20 interface FastEthernet0/1 20

ip access-list extended WANACL

remark ** Permit established connections **

permit tcp any any established

remark ** Immediate deny banned ranges **

----------------------------------------------------

**Supressed ranges banned**

----------------------------------------------------

remark ** Deny Spiders **

----------------------------------------------

**Supressed Spider ranges**

-----------------------------------------------

remark ** Permit DHCP **

permit udp any any eq bootpc

remark ** Permit specific ICMP **

permit icmp any any echo-reply

remark ** Deny bogon ranges **

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

remark ** Permit all UDP traffic **

permit udp any any

remark ** permit NAT services (Logged to SNMP) **

permit tcp any any eq ftp log

permit tcp any any eq 1723

permit tcp any any eq ftp-data log

permit tcp any any eq 22 log

permit tcp any any eq 6667 log

permit gre any any

permit udp any any eq 9987 log

permit tcp any any eq 1337

deny ip any any

logging 10.50.0.250

access-list 101 permit gre any any

access-list 101 permit ip any any

control-plane

gatekeeper

shutdown

banner exec ^C

WARNING: Unauthorized access to this system is forbidden and will be

prosecuted by law. By accessing this system, you agree that your

actions may be monitored if unauthorized usage is suspected.

banner login ^C

*************************************************************

WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED

This device is a private network device. Access to this device is

not authorized. Any attempt for unauthorized access will be logged

and appropriate legal action will be taken.

*************************************************************

line con 0

password 7 *************************************

logging synchronous

line aux 0

password 7 *************************************

logging synchronous

line vty 0 4

password 7 *************************************

logging synchronous

length 0

transport preferred ssh

line vty 5 15

password 7 *************************************

logging synchronous

transport preferred ssh

ntp clock-period 17180466

ntp server 184.105.192.247

end

FTP ACL Connection issue

Jitendra Siyag — Mon, 31 Dec 2012 06:18:20 GMT

is your FTP server active or passive?

you acl will change acordingly. try to capture the successfull transaction with FTP in wireshark and analyze the source and destination ports.

http://www.slacksite.com/other/ftp.html

FTP ACL Connection issue

The.Sorrow — Mon, 31 Dec 2012 06:49:46 GMT

Here's a successful connection:

Status: Connecting to 10.20.0.250:21...

Status: Connection established, waiting for welcome message...

Response: 220 Welcome to FTP.

Command: USER guest

Response: 331 Please specify the password.

Command: PASS ***********

Response: 230 Login successful.

Command: SYST

Response: 215 UNIX Type: L8

Command: FEAT

Response: 211-Features:

Response: EPRT

Response: EPSV

Response: MDTM

Response: PASV

Response: REST STREAM

Response: SIZE

Response: TVFS

Response: UTF8

Response: 211 End

Command: OPTS UTF8 ON

Response: 200 Always in UTF8 mode.

Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/"

Command: TYPE I

Response: 200 Switching to Binary mode.

Command: PASV

Response: 227 Entering Passive Mode (10,20,0,250,167,242).

Command: LIST

Response: 150 Here comes the directory listing.

Response: 226 Directory send OK.

Status: Directory listing successful

And an unsuccessful connection:

Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/"

Command: TYPE I

Response: 200 Switching to Binary mode.

Command: PASV

Response: 227 Entering Passive Mode (68,104,30,116,171,225).

Command: LIST

Error: Connection timed out

Error: Failed to retrieve directory listing

FTP ACL Connection issue

The.Sorrow — Mon, 31 Dec 2012 07:06:08 GMT

i found if i append 781 permit tcp any any gt 1024 makes everything work... is that optimum from a security standpoint?

FTP ACL Connection issue

Jitendra Siyag — Tue, 01 Jan 2013 19:36:24 GMT

you have passive FTP server.in this, the data connection will be established on a port gereater than 1024. it can be any port. and thats why you are able to connect when you allow all ports greater than 1024.

but this line will open all the ports for everything on your network.i would suggest limiting it to that particular server IP like below.

781 permit tcp any SERVER_IP gt 1024

or try using Zone Based Firewall in router to do FTP inspection which will be more safe. below url will provide you a basic working example.

http://blog.ine.com/2008/10/16/cisco-ios-zone-based-firewall-overview/

and here is more detailed guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml