Re: FTP inspection problems

ejensenscs · ‎05-26-2011

Hello,

I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers. I'm trying to figure this out fast, any help would be appreciated!!

This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?

object-group network DM_INLINE_NETWORK_10
network-object 172.24.X.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data

access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10

class-map global-class-ftp
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class global-class-ftp
inspect ftp

-Erick

Edward Dutra · ‎05-26-2011

Hi Erick....

Some things to point out in your config.

1) dont inspect port 20 ftp-data. Only port 21 needs to be inspected.

2) It looks like your "denying" inspection for the 172.24.X.0 255.255.255.0 network, however youre not 'permitting' traffic that should be inspected.

3) The access-list that your applying to your MPF policy has the FTP port applied to the source, not the destination.

Heres an example:

!

object-group network DM_INLINE_NETWORK_10
network-object 172.24.X.0 255.255.255.0

!

object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp

!

access-list global_mpc extended deny tcp any object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_1 tcp

access-list global_mpc extended permit tcp any any eq ftp

!

ejensenscs · ‎05-27-2011

Ok, thanks!

1. I don't know that I picked port 20 out, I did it via ASDM, so I think it created that network object for me.

2. I'm trying to inspect everything from my various vlans EXCEPT the one listed there (172.24.x.0), from the ASDM it looked like that's what I was doing. Maybe not? Here's the list I'm going to apply now...

object-group network DM_INLINE_NETWORK_10
network-object 172.24.X.0 255.255.255.0
network-object customer 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data

object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_3 tcp (asdm is creating these, I think I can clean this up later, only 1 object is needed)
port-object eq ftp
port-object eq ftp-data

access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10
access-list global_mpc extended permit tcp any object-group DM_INLINE_TCP_2 10.1x.1x.0 255.255.255.0
access-list global_mpc extended permit tcp 10.1x.1x.0 255.255.255.0 object-group DM_INLINE_TCP_3 any

(I have servers and clients in this network so I think I need outbound and inbound inspection, no?)

3. Should I be using internal IPs or the external IPs for these ACLs?

Edward Dutra · ‎05-27-2011

1) just remove the ftp-data from the object groups

2 & 3) The access-list should be based on the direction of the FTP requests since your FTP class-map is applied to the global-policy. For example, for FTP connections going from outside to inside the firewall, it would be easiest to match based on the destination (the internal networks). However, connections from inside to outside, it would than be easiest to create the ACL based on the source(again the internal networks).

For a connect coming from outside to inside the firewall, you would need to use the mapped IP address when creating the ACL if youre using ASA code 8.2 and older. 8.3 and later requires you use the real IP address.

Heres the easiest way I see creating the ACL for your MPF policy:

access-list global_mpc extended deny tcp 172.24.X.0 255.255.255.0 any eq 21
access-list global_mpc extended permit tcp any any eq 21

The above access-list will not inspect any FTP traffic FROM 172.24.X.0 and inspect all other traffic. The following ACL will not inspect FTP traffic TO 172.24.X.0 while inspecting all other FTP traffic:

access-list global_mpc extended deny tcp any 172.24.X.0 255.255.255.0 eq 21
access-list global_mpc extended permit tcp any any eq 21