02-24-2007 12:43 PM - edited 03-11-2019 02:38 AM
Linux_FTP_Server---(DMZ)Pix(ExTERNAL)---Linux_FTP_client
Pix is running version 7.2(2).
DB has priority of 70. EXTERNAL has priority of 0.
Pix DB interface IP is 10.102.160.19/28
Pix EXTERNAL interface IP is 192.168.1.4/24
Linux_FTP_Server is 10.102.160.20
Linux_FTP_client is 192.168.1.1
Linux_FTP_Server is running both "Active" and "Passive" FTP mode.
Linux_FTP_Server is being NATted by the pix:
static (DMZ,EXTERNAL) 192.168.1.20 10.102.160.20 net 255.255.255.255
Keep in mind that the customer does NOT want to make any changes
to the Linux_FTP_Server. It is not my decision.
They want me to configure the Pix firewall so that the pix will
allow only "passive" ftp from the Linux_FTP_client to the
Linux_FTP_Server. NO Active ftp is allowed between the Linux_FTP_client
and the Linux_FTP_Server.
here is my config, just for testing purposes:
ftp mode passive
no fixup protocol ftp 21
static (DMZ,EXTERNAL) 192.168.1.20 10.102.160.20 net 255.255.255.255
access-list External permit icmp any any log
access-list External permit tcp any any eq 21 log
access-list External permit tcp any any gt 1024 log
access-list DMZ permit icmp any any log
access-list DMZ deny tcp any eq 20 any gt 1024 log
access-list DMZ permit ip any any log
access-group External in interface EXTERNAL
access-group DMZ in interface DMZ
Here is the output from the Linux_FTP_client. As you can see,
I can login fine but as soon as I type "ls", the connection
hangs. I suspect that because I turned off ftp fixup:
Linux_FTP_client[admin]# ftp 192.168.1.20
Connected to 192.168.1.20.
220 (vsFTPd 1.1.3)
Name (192.168.1.20:admin): anonymous
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Switching to Binary mode.
ftp> prompt
Interactive mode off.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,102,160,20,4,222)
CiscoPix(config)# sh access-list External
access-list External; 3 elements
access-list External line 1 extended permit icmp any any log informational interval 300 (hitcnt=2) 0xa53e0e51
access-list External line 2 extended permit tcp any any eq ftp log informational interval 300 (hitcnt=8) 0x6a1b47d7
access-list External line 3 extended permit tcp any any gt 1024 log informational interval 300 (hitcnt=13) 0xfe0778b4
CiscoPix(config)#
Does anyone know how to configure the Pix 7.x code to allow only "passive" ftp
through the firewall with static NAT? It seems to me that the pix firewall is
incapable of doing this.
Any ideas anyone? Thanks.
David
02-25-2007 05:12 AM
If you disable FTP inspection engines with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
02-25-2007 06:16 AM
hi r.taccon,
I am not interested in outbound ftp connections.
I am only interested in inbound ftp connections. This FTP server accepts inbound
connections from other users over the Internet.
Is this possible with Pix 7.x or Pix in general
when static NAT is involved?
I come from Checkpoint and Juniper/Netscreen
environments and I take these things for granted
until I deal with Cisco Pix.
Thanks.
David
02-25-2007 10:41 AM
Hello,
Your problem is that in order for the pix to nat the port OR passive command, the inspect/fixup for ftp has to be on.
From your output:
227 Entering Passive Mode (10,102,160,20,4,222)
the first 4 numbers there are the IP address it sees for the port command. As you can see, it's the 10.x address, not the nat address needed to the communication can work.
So turning on the inpect/fixup fixes that issue. However, once the fixup is on, active ftp is allowed as well. The only way to block active ftp from the server would be to deny it's ability to initiate connections to anything greater than or equal to port 1024 (which seems to be what you've done in your DMZ access-list, though you may want to make it from all ports rather than just a source port of 20 to be absolutely certain, and change it to be gt 1023).
--Jason
Please rate this message if it helps solve some or all of your issue/question
02-25-2007 04:54 PM
On second thought, the ACL may not block it - the inspect may create an entry in the state table before the ACL is checked and allow active ftp through.
--Jason
02-25-2007 05:06 PM
Jason,
So what is the solution? I can not believe
I have an expensive Pix firewall that can not
do a simple task like this one.
Without static NAT in place, I can allow
only passive FTP through the pix firewall. In
other words, if I just route traffics through
the firewall, it will work like this:
no fixup protocol ftp 21
access-list out permit icmp any any log
access-list out permit tcp any any eq 21 log
access-list out permit tcp any any gt 1024 log
access-list in permit icmp any any log
access-list in deny tcp any eq 20 any log
access-list in permit ip any any log
access-group out in interface outside
access-group in in interface inside
However, since I am static NAT the ftp server,
this configuration does not serve me any good.
Anymore ideas? Thanks.
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide