12-28-2015 04:34 AM - edited 03-12-2019 12:04 AM
Hello, everyone.
I have a problem with connection to a FTP server by non-standart port via a router with IOS-EX. Here is what I have at the ZBF rules:
parameter-map type inspect GLOBAL
tcp finwait-time 10
tcp synwait-time 20
tcp max-incomplete host 300 block-time 1
log dropped-packets
class-map type inspect match-any INSPECT_PROTOCOLS
description ---- Global protocols to inspect via ZBF ----
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol sip
match protocol sip-tls
match protocol udp
match protocol tcp
class-map type inspect match-all C_PROHOBITED_ACTIVITY
description ---- Traffic match for Access to Internet ----
match class-map INSPECT_PROTOCOLS
match access-group name ACL_PROHOBITED_ACTIVITY
class-map type inspect match-all C_From_Inet_to_Internal
description ---- Traffic match for Access from Internet ----
match access-group name ACL_From_Inet_to_Internal
match class-map INSPECT_PROTOCOLS
policy-map type inspect P_PROHOBITED_ACTIVITY
description ---- ZBF for Access to Internet ----
class type inspect C_PROHOBITED_ACTIVITY
inspect GLOBAL
class class-default
drop log
policy-map type inspect P_From_Inet_to_Internal
description ---- ZBF for Access from Internet ----
class type inspect C_From_Inet_to_Internal
inspect GLOBAL
class class-default
drop log
#sh access-lists ACL_PROHOBITED_ACTIVITY
Extended IP access list ACL_PROHOBITED_ACTIVITY
10 deny ip object-group Banned_2_Inet any
20 permit ip any any
ip nat inside source list 110 interface Port-channel1 overload
Because of the non standart FTP port I used a command "ip port-map ftp port tcp 2021". But my host still can't transer data to/from a FTP server.
But there is no problem if I'm using a standart 21 port. Here is log from a fail connections:
sh policy-map type inspect zone-pair sessions | s <local host>
Session ID 0x00105DEF (<local host>:2335)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:10:55, Last heard 00:10:36
Bytes sent (initiator:responder) [77:290]
Session ID 0x00105CE0 (<local host>:2055)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:14:05, Last heard 00:13:46
Bytes sent (initiator:responder) [83:333]
Session ID 0x00106290 (<local host>:3005)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:00:04, Last heard 00:00:02
Bytes sent (initiator:responder) [86:333]
Session ID 0x00105E46 (<local host>:2405)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:09:44, Last heard 00:09:22
Bytes sent (initiator:responder) [78:290]
Session ID 0x00106198 (<local host>:2819)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:02:29, Last heard 00:02:04
Bytes sent (initiator:responder) [77:290]
Session ID 0x00105AD2 (<local host>:1603)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:19:56, Last heard 00:19:31
Bytes sent (initiator:responder) [77:290]
Session ID 0x00105C79 (<local host>:1999)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
Created 00:15:12, Last heard 00:14:42
Bytes sent (initiator:responder) [78:290]
Session ID 0x00106291 (<remote FTP (Internet)>:0)=>(<local host>:3006) ftp-data SIS_PREGEN
Created 00:00:03, Last heard 00:00:03
Bytes sent (initiator:responder) [0:0]
sh ip nat tran | i <local host>
tcp <external router IP>:5190 <local host>:3005 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
tcp <external router IP>:5152 <local host>:2819 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
tcp <external router IP>:5154 <local host>:2055 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
tcp <external router IP>:5157 <local host>:1999 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
tcp <external router IP>:5155 <local host>:1603 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
tcp <external router IP>:5124 <local host>:2335 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
tcp <external router IP>:5126 <local host>:2405 <remote FTP (Internet)>:2021 <remote FTP (Internet)>:2021
I also tryed to do this:
class-map type inspect match-all C_PROHOBITED_ACTIVITY
no match class-map INSPECT_PROTOCOLS
But still no resaults.
So what else I can do to to make it work?
Best Regards.
01-04-2016 12:34 PM
Hello;
Is it possible for you to do the following?
-Create an access-list matching tcp any any eq 2021
-Create a class-map with match all, matching FTP and access-list (match-all)
-Put to inspect.
-Make sure the class is the first one on the policy it should hit.
I remember the ip port mapping capability but I have never used it before other than for CBAC inspection.
Let us know.
01-29-2016 06:45 AM
Hello, Maykol Rojas.
Thank you very much for your interest to my case. In fact I already solved a problem.
Port-map works well. There was a problem at the end side (at the FTP server). Our FTP holder lied to me about FTP server working at the passive mode.
Best Regards.
01-29-2016 12:29 PM
That happens too.
Thanks for answering back, that would definitely help for me and other ppl in the community.
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide