Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
5
Replies

SR520 configuration for intenal FTP server

Go to solution
katsulis
Level 1
Level 1

‎11-12-2010 02:17 AM - edited ‎03-11-2019 12:08 PM

I am trying to configure a SR520-ADSL-K9 in order to access from outside (internet) an internal FTP server (by an FTP client with passive connection). Actually, it is a single server installation (small site) which besides FTP services, supports active directory, file services etc.

I am using CCA because I have no experience with CLI.

I configured NAT in order port 21 to point to my internal address (192.168.100.2) at the same port. This server's vlan (vlan100) belongs to inside zone.

When the firewall is active (even with the "low" protection setting)  I cannot work fully with this FTP server (I can list directories but I can 't upload or dowload files). Of course, everything works fine if the firewall is disabled.

I gave it a try by putting this server in the DMZ zone and it worked (accessing the FTP server from outside), but since it's a single server with many services I had other problems with the internal LAN (vlan100) that made my installation complicated so DMZ seems not an option.

Since I did many tests I beleive that CCA cant help me any more achieving what I wish to do. So the question is:

Can I do it with CLI ? If someone can help me it would be very much appreciated  (as I said, I have no experience on CLI so a detailed help will help)

Find attached current configuration with firewall on at medium level and failing FTP passive access from outside.

Labels:
75136-sr520config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-12-2010 02:29 PM

Can you put in 

class-map type inspect match-all SDM-inspect-staticnat-in
 match access-group name staticnat
 match protocol ftp
policy-map type inspect sdm-inspect-voip-in
 class type inspect SDM-inspect-staticnat-in
  no pass
  inspect

Let us know if it works.

PK

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-12-2010 02:29 PM

Can you put in 

class-map type inspect match-all SDM-inspect-staticnat-in
 match access-group name staticnat
 match protocol ftp
policy-map type inspect sdm-inspect-voip-in
 class type inspect SDM-inspect-staticnat-in
  no pass
  inspect

Let us know if it works.

PK

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎11-12-2010 06:14 PM

So, since the ftp server is on the inside and connections are going to come from the outside to inside we need to look at the below zone pair out-zone to in-zone.

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

Now, the above zone pair is calling this below policy-map

router# sh run policy-map sdm-inspect-voip-in

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-inspect-staticnat-in

  pass

class type inspect SDM-Voice-permit

  pass

class type inspect sdm-nat-ftp-1

  inspect

class class-default

  drop

When you look closely into the first class-map under the policy-map you see that it is the one matching the ftp traffic.

class-map type inspect match-all SDM-inspect-staticnat-in

match access-group name staticnat

ip access-list extended staticnat

remark SDM_ACL Category=1

permit tcp any any eq ftp

I see two problems

1. class-map uses a match-all

Next time you add another protocol like smtp to the same access-list staticnat - this will not work because of the match-all

2. it just has a pass

When you just say pass, it will not allow the response traffic back automatically.  It will expect a pass for the response traffic as well.

So, I would do two things:

connect to the router via command line (telnet or ssh) on enable prompt (# prompt) and type the following commands.

router#conf t

class-map type inspect match-any SDM-inspect-staticnat-in

class-map type inspect match-any SDM-inspect-staticnat-in

no pass

inspect

Now try to establish ftp to this server on the inside and see if it works.

-KS

0 Helpful

Go to solution
katsulis
Level 1
Level 1
In response to Kureli Sankar

‎11-15-2010 02:44 AM

Very special thanks !...

I learned a lot from your detailed answer in which I guess you meant the following:

class-map type inspect match-any SDM-inspect-staticnat-in

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-inspect-staticnat-in

  no pass

  inspect

which is a success !...

Thank you all

0 Helpful

Go to solution
katsulis
Level 1
Level 1
In response to Panos Kampanakis

‎11-15-2010 02:38 AM

Thank you very much

Only the following can do the job. The test was a success!...

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-inspect-staticnat-in

  no pass

  inspect

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to katsulis

‎11-15-2010 06:21 AM

Yup,

With inspect you allow the return traffic for ftp so it should ok.

Yeia sou Vassili...

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card