Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1459
Views
0
Helpful
1
Replies

FTP in Zone based firewall

cgarringer
Level 1
Level 1

‎02-22-2012 02:56 PM - edited ‎03-11-2019 03:33 PM

I am working on a zone-based firewall for a new location.    I am currently working on getting connections to infrastructure devices (2960 switch, WAVE 574).   I have a zone pair defined with an outside and a INFRA zone.    The class map is a match access-group line, and the access-list is working for ssh  and syslog.   However I have teh WAVE device at a software version higher than my current standard (brand-new device) and have to ftp the downgrade code to the device from the ftp server.   I have the following in the access-list

permit tcp host <wave574> host <ftp server> eq ftp (3 matches)

As you can see it has matched 3 times.   The builtin WAAS procedure is to ftp to the server, change to binary mode, go to PASV mode, CWD to the specified directory, gets successfull, sends PASV again, then tries to download the file.   At that point it breaks, giving a timeout error.   The logs show tcp being denied between the wave device an the ftp server, both on upper ports.    FTP handling should not be a problem, the firewalls have been handling it for years.    What am I missing here?   I checked the rest of the ACL above the ftp line, that is the only line that could possibly be hit by the addresses involved.

Thanks.

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎02-29-2012 12:56 PM

Hello,

You'll need to make sure that your zone-pair's policy includes a class-map that uses 'match protocol ftp' and that the 'inspect' action is applied for this class of traffic. Since FTP opens a secondary data connection with a dynamically allocated port, ZBF needs to be able to see this port and dynamically allow the data channel through the firewall. Otherwise, you would need to permit all TCP traffic between the WAVE and the FTP server.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card