Solved: Re: passive FTP doesn't work with CBAC - Page 2

tato386 · ‎08-05-2010

I have setup an inbound ACL on the outside interface of my router that allows TCP ports 20 and 21 in and I have a CBAC inspect map with FTP specified on the same interface in an outbound direction. My understanding is that the inspect will check all outbound traffic and dynamically fix the inbound ACL for the client/serve negotiated ports. I have active FTP clients like the command line Windows ftp work, but passive clients like a browser do not.

If I uncheck passive mode on my browser it works further confirming that active FTP works. Ironically, the browser active/passive option says that passive mode is for firewall compatibility!

Any ideas on this? I would really like both to work because I frequently use the command line ftp and most others prefer the browser.

Thanks,

Diego

Jitendriya Athavale · ‎08-05-2010

it is supported on IOS

well it is recommended u go thr only if you see that cbac is unable to achieve what you want

it provides more flexibility

in any case, for your query we seem to have isolated the issue that inspect ftp is broken, i have seen a lot of bugs related to broken inspect for L7

you can go to zone-based-firewall but let me advise you that it is also unpredictable at times as far as features are concerned. when it works it works like magic but when something is boken it get really tough to isolate

to resolve your issue, i think its worth a try to go to 15.0 code which is latest, i would suggest even if you go to zone-based firewall use this code

e.pedersen · ‎08-06-2010

Diego,

I looked at your config, and it seems to be fine. Also I tried something similiar in a lab enviroment and it worked.

If you want to know more about zone based firewall, here is a link whit the configuration guide:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html

tato386 · ‎08-06-2010

One more question before I try the zone bases approach. What type of ftp server did you test with? I did a test with a 2nd router runing a slightly older IOS and got the same results. In both my cases the ftp server being protected was a Windows server. Maybe CBAC and Windows ftp don't get along?

Diego

e.pedersen · ‎08-06-2010

Please read your PM

Kureli Sankar · ‎08-06-2010

Is this issue resolved?

interface FastEthernet0/0
description public IP
ip address 72.17.151.190 255.255.255.224
ip access-group 101 in
ip nat outside
ip inspect firewall out

ip inspect firewall in ------------------------> Pls. add this line as well.

for ftp traffic the user id and password goes over the control channel using tcp 21.You need to allow this via ACL. Inspection will take care of opening the data channel.

For active ftp the server sends the data using the source port tcp 20. Client sends the port command.

In case of passive ftp the server sends the port command and the client connects back to the high port >1024 to receive data.

http://slacksite.com/other/ftp.html#actexample

-KS

tato386 · ‎08-07-2010

KS, you da man! Adding that line worked!

Not a big deal if you don't know or don't have time but, why? All the docs that I have read on CBAC show applying the inspect in one direction only. So why do I need to add it in the "in" direction? Do I need the "out"?

Thanks,

Diego

Kureli Sankar · ‎08-07-2010

Thanks.

Diego,

When you apply the firewall "OUT" on the interface that is for connections going outbound - from inside hosts to the internet. This is for connection initiated from the inside.

When your ftp server is on the inside, these connections are coming from the internet inbound to your server. So, you need the firewall "IN" on this outside interface so, the firewall once sees connection inbound it will allow the response to go back out. This is for connections initiated from the internet. I hope it is clear.

Also, you can move the FW that you applied OUT on this interface to the inside interface as IN. Makes sense?

Both the inside and outside interfaces will have the firewall applied IN on the interface.

-KS

tato386 · ‎08-07-2010

Thank you for the explantion sir. It is much appreciated.

Diego