12-30-2012 09:20 PM - edited 02-21-2020 04:48 AM
I have an issue with ACLs I have FTP forwarded via PAT to an internal server on my edge router. I have a rather extensive ACL that denies spider servers and certain ranges i know to be spammers. The issue lies in FTP. When the ACL is applied to my outside interface (fa0/1) i cannot successfully connect via FTP. When i drop the access-group, i can connect to FTP a-okay. When the ACL is applied all my other services work as well (http over port 1337, ssh, PPTP, IRC and teamspeak - UDP 9987). Here is my config. Any assistance will be greatfully appreciated:
Building configuration...
Current configuration : 6674 bytes
!
! Last configuration change at 11:07:17 PST Sun Dec 30 2012 by admin
! NVRAM config last updated at 19:12:53 PST Sun Dec 30 2012 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 *************************************
!
no aaa new-model
clock timezone PST -8
clock summer-time CDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip domain name **********.net
ip name-server 4.2.2.2
ip inspect log drop-pkt
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin secret 5 *************************************
!
!
!
!
!
!
!
interface FastEthernet0/0
description Port to Core Switch
ip address 172.16.0.254 255.255.255.252
ip nat inside
no ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
description Port to Internet
ip address dhcp
ip access-group WANACL in
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
!
router ospf 100
log-adjacency-changes
passive-interface FastEthernet0/1
network 172.16.0.252 0.0.0.3 area 0
default-information originate
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.50.0.250 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 10.20.0.200 22 interface FastEthernet0/1 22
ip nat inside source static tcp 10.20.0.100 6667 interface FastEthernet0/1 6667
ip nat inside source static tcp 10.20.0.200 80 interface FastEthernet0/1 1337
ip nat inside source static udp 10.20.0.100 9987 interface FastEthernet0/1 9987
ip nat inside source static tcp 10.20.0.250 21 interface FastEthernet0/1 21
ip nat inside source static tcp 10.20.0.250 20 interface FastEthernet0/1 20
!
ip access-list extended WANACL
remark ** Permit established connections **
permit tcp any any established
remark ** Immediate deny banned ranges **
----------------------------------------------------
**Supressed ranges banned**
----------------------------------------------------
remark ** Deny Spiders **
----------------------------------------------
**Supressed Spider ranges**
-----------------------------------------------
remark ** Permit DHCP **
permit udp any any eq bootpc
remark ** Permit specific ICMP **
permit icmp any any echo-reply
remark ** Deny bogon ranges **
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark ** Permit all UDP traffic **
permit udp any any
remark ** permit NAT services (Logged to SNMP) **
permit tcp any any eq ftp log
permit tcp any any eq 1723
permit tcp any any eq ftp-data log
permit tcp any any eq 22 log
permit tcp any any eq 6667 log
permit gre any any
permit udp any any eq 9987 log
permit tcp any any eq 1337
deny ip any any
!
logging 10.50.0.250
access-list 101 permit gre any any
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
banner exec ^C
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
^C
banner login ^C
*************************************************************
WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED
This device is a private network device. Access to this device is
not authorized. Any attempt for unauthorized access will be logged
and appropriate legal action will be taken.
*************************************************************
^C
!
line con 0
password 7 *************************************
logging synchronous
login local
line aux 0
password 7 *************************************
logging synchronous
login local
line vty 0 4
password 7 *************************************
logging synchronous
login local
length 0
transport preferred ssh
line vty 5 15
password 7 *************************************
logging synchronous
login
transport preferred ssh
!
ntp clock-period 17180466
ntp server 184.105.192.247
!
end
Solved! Go to Solution.
12-30-2012 10:18 PM
is your FTP server active or passive?
you acl will change acordingly. try to capture the successfull transaction with FTP in wireshark and analyze the source and destination ports.
12-30-2012 10:18 PM
is your FTP server active or passive?
you acl will change acordingly. try to capture the successfull transaction with FTP in wireshark and analyze the source and destination ports.
12-30-2012 10:49 PM
Here's a successful connection:
Status: Connecting to 10.20.0.250:21...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to FTP.
Command: USER guest
Response: 331 Please specify the password.
Command: PASS ***********
Response: 230 Login successful.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: UTF8
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (10,20,0,250,167,242).
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Directory listing successful
And an unsuccessful connection:
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (68,104,30,116,171,225).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
12-30-2012 11:06 PM
i found if i append 781 permit tcp any any gt 1024 makes everything work... is that optimum from a security standpoint?
01-01-2013 11:36 AM
you have passive FTP server.in this, the data connection will be established on a port gereater than 1024. it can be any port. and thats why you are able to connect when you allow all ports greater than 1024.
but this line will open all the ports for everything on your network.i would suggest limiting it to that particular server IP like below.
781 permit tcp any SERVER_IP gt 1024
or try using Zone Based Firewall in router to do FTP inspection which will be more safe. below url will provide you a basic working example.
http://blog.ine.com/2008/10/16/cisco-ios-zone-based-firewall-overview/
and here is more detailed guide
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide