Re: FTP and Port mapping

casablancag · ‎08-31-2005

Hi

we get troubles with our FTP Server. The clients send a Syn with Src port 40000 then the Server replies with the the same dst port but i presume that the loadbalancer makes a port-mapping and translate the source Port to eg. 33000. Our firewall clearly drops the packet with the reason "Packet out of state". have you any idea ?

Here my config

service h01p6u_21

keepalive type tcp

keepalive port 21

ip address x.x.158.129

protocol tcp

redundant-index 11790

active

service h01p6v_21

ip address x.x.158.130

keepalive type tcp

keepalive port 21

protocol tcp

redundant-index 11800

active

content c01sg5_21

vip address x.x.x.140

add service h01p6v_21

add service h01p6u_21

port 21

protocol tcp

application ftp-control

active

!*************************** GROUP

group srg_c01sg5

vip address x.x.x.140

add service h01p6u_21

add service h01p6v_21

active

Gilles Dufour · ‎09-01-2005

where is your firewall located ?

The CSS will indeed change the source port, but this is on the server side.

Is the problem with both active and passive FTP or just one of them ?

Do you have a sniffer trace showing the problem ?

Thanks,

Gilles.

casablancag · ‎09-01-2005

Hi Gilles

the Firewall is between Internet and Loadbalancer. On the Loadbalancer we habe configured two VLAN in the front and 2 VLAn in the back. We have 2 defualt route in the internet.

attached you will find the sniffer trace

Gilles Dufour · ‎09-01-2005

we only see SYN and SYN/ACK.

Is the control connection not even establishing ???

The CSS is spoofing the connection, so it will respond to the SYN on behalf of the server [at this time the server has not yet received any packet].

So the firewall should allow the SYN/ACK from the CSS.

There is no port mapping there.

Gilles.

casablancag · ‎09-02-2005

Hi Gilles

the problem that I have now is with ACTIVE FTP. I made PBR on the Loadbalancer. Passive FTP works either from the internet and from our internal network while Active FTP works only from the internet and doesn't work from our internal network. What we see is that the Loadbalancer sends the ftp-data packet out to the InternetVLAN (eg. VLAN 3605) and not to the VLAN 3603. I guess the problem is in my access-list. have you any Idea ??

My configuration

*************

!*************************** GROUP ***************************

group srg_c01sg5

vip address x.x.152.140

add service h01p6v_21

add service h01p6u_21

active

!**************************** ACL ****************************

acl 1

clause 10 permit any x.x.172.0 255.255.255.0 destination any prefer FW_VLAN3605

clause 99 permit any any destination any

apply circuit-(VLAN3607)

acl 2

clause 10 permit any x.x.158.0 255.255.255.0 destination any prefer FW_VLAN3603

clause 99 permit any any destination any

apply circuit-(VLAN3610)

clause 15 permit any x.x.158.0 255.255.255.0 destination 10.0.0.0 255.0.0.0 prefer FW_VLAN3603

clause 20 permit any x.x.158.0 255.255.255.0 destination 138.191.0.0 255.255.0.0 prefer FW_VLAN3603

clause 25 permit any x.x.158.0 255.255.255.0 destination 192.168.251.0 255.255.255.0 prefer FW_VLAN3603

clause 30 permit any x.x.158.0 255.255.255.0 destination 192.168.250.0 255.255.255.0 prefer FW_VLAN3603

clause 35 permit any x.x.158.0 255.255.255.0 destination 192.168.0.0 255.255.0.0 prefer FW_VLAN3603

clause 40 permit any x.x.158.0 255.255.255.0 destination 172.16.0.0 255.240.0.0 prefer FW_VLAN3603

acl 10

clause 99 permit any any destination any

apply circuit-(VLAN3605)

apply circuit-(VLAN3603)

apply circuit-(VLAN2421)

apply circuit-(VLAN1)

Gilles Dufour · ‎09-02-2005

Can't you use more specific static routes to direct your internal traffic to the correct vlan instead of the acl ??

I believe the acl won't work because of bug CSCej01719.

Regards,

Gilles.

casablancag · ‎09-02-2005

Hi Gilles

I already have more specific Routes but it doesn't work.Is there a way to not use the source group for active ftp but to make nat at the ACL ?

*********************************

below the routing table

ip route 0.0.0.0 0.0.0.0 194.41.160.254 1

ip route 172.16.0.0 255.240.0.0 194.41.160.1 1

ip route 10.0.0.0 255.0.0.0 194.41.160.1 1

ip route 138.191.0.0 255.255.0.0 194.41.160.1 1

ip route 194.41.128.119 255.255.255.255 194.41.160.248 1

ip route 172.28.0.0 255.255.0.0 172.27.3.254 1

ip route 172.27.0.0 255.255.0.0 172.27.3.254 1

ip route 192.168.250.0 255.255.255.0 194.41.160.1 1

ip route 192.168.251.0 255.255.255.0 194.41.160.1 1

ip route 138.189.96.0 255.255.255.224 194.41.160.1 1

ip route 172.29.128.0 255.255.192.0 194.41.160.248 1

ip route 0.0.0.0 0.0.0.0 194.41.152.254 1

ip route 10.0.0.0 255.0.0.0 194.41.152.129 1

ip route 138.191.0.0 255.255.0.0 194.41.152.129 1

ip route 192.168.251.0 255.255.255.0 194.41.152.129 1

ip route 192.168.250.0 255.255.255.0 194.41.152.129 1

ip route 192.168.0.0 255.255.0.0 194.41.160.1 1

ip route 192.168.0.0 255.255.0.0 194.41.152.129 1

ip route 172.16.0.0 255.240.0.0 194.41.152.129 1

Gilles Dufour · ‎09-02-2005

I don't understand the need for your acl 1 ??

Why is it required ??

I think that's the one forwarding all your traffic to the Internet.

Why don't you simply let the CSS route based on the routing table ???

Gilles.

casablancag · ‎09-02-2005

Because we have internal server that have the need to open a connetion to the internet. Without acl 1 we had the situation that one server in the private lan could connect to the internet and one server in the same lan couldn't. The sniffer trace tells us that the packets for the server were routet to the wrong interface. We have two default route in the internet and the firewall with the anti spoofing rule blocks the traffic.

Any idea concerning the active ftp issue ??

Gilles Dufour · ‎09-02-2005

you're active ftp issue is related to your acl.

You need to modify the acl so it does not forward your FTP traffic to the Internet when it's not needed.

Create a new clause that will match your active ftp traffic and just permit without using the prefer option.

You could setup your ftp server to always use the data port 20 to make it easier to identify the FTP data traffic.

Gilles.