inspect ftp protocol via zone based firewall

elnurh · ‎07-27-2015

Hi everybody guru. I have some issue with permit ftp traffic from zona A where locate my cient to zone B where locate my ftp server.

I permit via access list from network A to Network B the needed network and ports and in class map add ftp protocol. But the client can connect to ftp server, but cannot listing and downloading the soft from ftp server. In the client show timeout connection. How can I fix this issue.

thanks all before.

Karsten Iwen · ‎07-27-2015

It's hard to say how to fix it as you don't show what you configured ... But it should work with a config like the following:

ip access-list ext FTP-COMMUNICATION
 permit ip 10.10.10.0 0.0.0.255 host 192.0.2.21
!
class-map type inspect match-all FTP-TO-SERVER
 match access-group name FTP-COMMUNICATION
 match protocol ftp

Here I only specify the L3 communication in the ACL, the information that it has to be FTP is taken from the match protocol.

elnurh · ‎07-28-2015

there are piece of my config

(

ip access-list extended from_term_to_servers

permit tcp object-group permit_terminal-point object-group servers eq 8091
permit udp object-group permit_terminal-point object-group servers eq ntp
permit tcp object-group permit_terminal-point object-group server_254.4 eq ftp
permit tcp object-group permit_terminal-point object-group server_254.4 eq ftp-data
permit tcp object-group permit_terminal-point object-group server_254.4 range 64000 65535

class-map type inspect match-any from_terminal
match access-group name from_term_to_servers
class-map type inspect match-any tcp_ftp
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all term_net_servers
match class-map from_terminal
match class-map tcp_ftp

policy-map type inspect from_terminal_p
class type inspect term_net_servers
inspect
class class-default
drop

zone-pair security terminal_s source terminal destination ivlanA
service-policy type inspect from_terminal_p

)

but ftp protocol not working. How can I check that my rules and policy working right and may be issue is not in the router and ZBF ?

Karsten Iwen · ‎07-28-2015

Build a new ACL only for the FTP-communication as shown above and it should work.

elnurh · ‎08-05-2015

I did that you say about ftp? not working. I create certain access list for ftp, create class map include access list and protocol only ftp and place it in policy map, but the rule and ftp inspection not work. The have access to ftp server but cannot listing to directory and downloading anything.

Karsten Iwen · ‎08-05-2015

What have you configured exactly?

elnurh · ‎08-05-2015

ip access-list extended ftp_term
permit tcp object-group permit_terminal-point object-group server eq ftp
permit tcp object-group permit_terminal-point object-group server eq ftp-data

class-map type inspect match-all ftp_for_term
match access-group name ftp_term
match protocol ftp

policy-map type inspect from_terminal_p
class type inspect term_net_servers
inspect
class type inspect ftp_for_term
inspect
class class-default
drop

elnurh · ‎08-06-2015

and I need to inspect ftps too.

any one can help me in this issue ?