Solved: FTP ACL Connection issue

The.Sorrow · ‎12-30-2012

I have an issue with ACLs I have FTP forwarded via PAT to an internal server on my edge router. I have a rather extensive ACL that denies spider servers and certain ranges i know to be spammers. The issue lies in FTP. When the ACL is applied to my outside interface (fa0/1) i cannot successfully connect via FTP. When i drop the access-group, i can connect to FTP a-okay. When the ACL is applied all my other services work as well (http over port 1337, ssh, PPTP, IRC and teamspeak - UDP 9987). Here is my config. Any assistance will be greatfully appreciated:

Building configuration...

Current configuration : 6674 bytes

!

! Last configuration change at 11:07:17 PST Sun Dec 30 2012 by admin

! NVRAM config last updated at 19:12:53 PST Sun Dec 30 2012 by admin

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 *************************************

!

no aaa new-model

clock timezone PST -8

clock summer-time CDT recurring

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

ip domain name **********.net

ip name-server 4.2.2.2

ip inspect log drop-pkt

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

username admin secret 5 *************************************

!

interface FastEthernet0/0

description Port to Core Switch

ip address 172.16.0.254 255.255.255.252

ip nat inside

no ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1

description Port to Internet

ip address dhcp

ip access-group WANACL in

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

!

router ospf 100

log-adjacency-changes

passive-interface FastEthernet0/1

network 172.16.0.252 0.0.0.3 area 0

default-information originate

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.50.0.250 1723 interface FastEthernet0/1 1723

ip nat inside source static tcp 10.20.0.200 22 interface FastEthernet0/1 22

ip nat inside source static tcp 10.20.0.100 6667 interface FastEthernet0/1 6667

ip nat inside source static tcp 10.20.0.200 80 interface FastEthernet0/1 1337

ip nat inside source static udp 10.20.0.100 9987 interface FastEthernet0/1 9987

ip nat inside source static tcp 10.20.0.250 21 interface FastEthernet0/1 21

ip nat inside source static tcp 10.20.0.250 20 interface FastEthernet0/1 20

!

ip access-list extended WANACL

remark ** Permit established connections **

permit tcp any any established

remark ** Immediate deny banned ranges **

----------------------------------------------------

**Supressed ranges banned**

----------------------------------------------------

remark ** Deny Spiders **

----------------------------------------------

**Supressed Spider ranges**

-----------------------------------------------

remark ** Permit DHCP **

permit udp any any eq bootpc

remark ** Permit specific ICMP **

permit icmp any any echo-reply

remark ** Deny bogon ranges **

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

remark ** Permit all UDP traffic **

permit udp any any

remark ** permit NAT services (Logged to SNMP) **

permit tcp any any eq ftp log

permit tcp any any eq 1723

permit tcp any any eq ftp-data log

permit tcp any any eq 22 log

permit tcp any any eq 6667 log

permit gre any any

permit udp any any eq 9987 log

permit tcp any any eq 1337

deny ip any any

!

logging 10.50.0.250

access-list 101 permit gre any any

access-list 101 permit ip any any

!

control-plane

!

gatekeeper

shutdown

!

banner exec ^C

WARNING: Unauthorized access to this system is forbidden and will be

prosecuted by law. By accessing this system, you agree that your

actions may be monitored if unauthorized usage is suspected.

^C

banner login ^C

*************************************************************

WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED

This device is a private network device. Access to this device is

not authorized. Any attempt for unauthorized access will be logged

and appropriate legal action will be taken.

*************************************************************

^C

!

line con 0

password 7 *************************************

logging synchronous

login local

line aux 0

password 7 *************************************

logging synchronous

login local

line vty 0 4

password 7 *************************************

logging synchronous

login local

length 0

transport preferred ssh

line vty 5 15

password 7 *************************************

logging synchronous

login

transport preferred ssh

!

ntp clock-period 17180466

ntp server 184.105.192.247

!

end

Jitendra Siyag · ‎12-30-2012

is your FTP server active or passive?

you acl will change acordingly. try to capture the successfull transaction with FTP in wireshark and analyze the source and destination ports.

http://www.slacksite.com/other/ftp.html

View solution in original post

Jitendra Siyag · ‎12-30-2012

is your FTP server active or passive?

you acl will change acordingly. try to capture the successfull transaction with FTP in wireshark and analyze the source and destination ports.

http://www.slacksite.com/other/ftp.html

The.Sorrow · ‎12-30-2012

Here's a successful connection:

Status: Connecting to 10.20.0.250:21...

Status: Connection established, waiting for welcome message...

Response: 220 Welcome to FTP.

Command: USER guest

Response: 331 Please specify the password.

Command: PASS ***********

Response: 230 Login successful.

Command: SYST

Response: 215 UNIX Type: L8

Command: FEAT

Response: 211-Features:

Response: EPRT

Response: EPSV

Response: MDTM

Response: PASV

Response: REST STREAM

Response: SIZE

Response: TVFS

Response: UTF8

Response: 211 End

Command: OPTS UTF8 ON

Response: 200 Always in UTF8 mode.

Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/"

Command: TYPE I

Response: 200 Switching to Binary mode.

Command: PASV

Response: 227 Entering Passive Mode (10,20,0,250,167,242).

Command: LIST

Response: 150 Here comes the directory listing.

Response: 226 Directory send OK.

Status: Directory listing successful

And an unsuccessful connection:

Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/"

Command: TYPE I

Response: 200 Switching to Binary mode.

Command: PASV

Response: 227 Entering Passive Mode (68,104,30,116,171,225).

Command: LIST

Error: Connection timed out

Error: Failed to retrieve directory listing

The.Sorrow · ‎12-30-2012

i found if i append 781 permit tcp any any gt 1024 makes everything work... is that optimum from a security standpoint?

Jitendra Siyag · ‎01-01-2013

you have passive FTP server.in this, the data connection will be established on a port gereater than 1024. it can be any port. and thats why you are able to connect when you allow all ports greater than 1024.

but this line will open all the ports for everything on your network.i would suggest limiting it to that particular server IP like below.

781 permit tcp any SERVER_IP gt 1024

or try using Zone Based Firewall in router to do FTP inspection which will be more safe. below url will provide you a basic working example.

http://blog.ine.com/2008/10/16/cisco-ios-zone-based-firewall-overview/

and here is more detailed guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml