07-17-2013 08:22 AM - edited 03-11-2019 07:13 PM
Hello everyone,
I have a problem with an IOS firewall. The thing is that I'm using an FTP client to collect data from the wan (it's on passive mode). The session gets established, through port 21 (wich is on my access-list). I cannot get the transfer completed because FTP opens a random port for this part, from 1024 to 65535.
I could add a new line on my access-list permiting tcp any any range 1024 65535, but my client won't accept this. It's a quite fair decision, since I'd be opening almost all the ports.
Is there a solution for this problem? So my firewall can detect the new session.
I have already tried to inspect ftp as a global policy, but it didn't work.
Thanks in advance fot the help.
Solved! Go to Solution.
07-17-2013 10:34 AM
Instead of using ACL, use the match protocol command. This will allow the dynamic ports that need to opened for the FTP session.
Regards,
Juan Lombana
Please rate helpful posts.
07-17-2013 10:34 AM
Instead of using ACL, use the match protocol command. This will allow the dynamic ports that need to opened for the FTP session.
Regards,
Juan Lombana
Please rate helpful posts.
07-17-2013 10:37 AM
It should work if you have an ip inspect rule on the LAN interface inbound direction. So, in addition to anything else required, something like:
ip inspect name INFIRE ftp
interface Ethernet0/0
ip inspect INFIRE in ! firewall inspection for inbound traffic.
You can also use the wizard in CCP to help with IOS ZBFW setup. It cna be daunting from the CLI if you don't use it often.
07-17-2013 10:47 AM
Hello Bruno,
as Juan Lombana said you need to use a match protocol on the class-map config instead of a match access-group,
Okey, the server is on passive mode right? Behind which zone is the server?
Share the configuration
Regards,
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-25-2013 02:28 PM
Hello guys, it's been too long since I asked this and I'm sorry for not replying your kind answers.
The problem has been solved 2 weeks ago. The thing is that I had to match ftp on an exclusive class-map and put it on top of the policy-map. When I did this, it worked just fine.
What I had been doing (such a shame) is matching ftp along with icmp, tcp and udp, all in one class-map.
Thanks for the answers.
Bruno
07-26-2013 12:08 PM
Hello,
Glad to know you have it up and running, please mark the question as answered so future users can learn from this,
For Networking Posts check my website at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
04-24-2024 07:50 PM
Wow. Been trying to figure this out for over a week. Bruno's separate FTP class-map put first in line above the usual HTTP class-map on the In-Out policy-map did the trick on our ISR 8200's. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide