cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
10
Helpful
3
Replies

ZBF and non-standart FTP port at the IOS-EX

AllertGen
Level 3
Level 3

Hello, everyone.

I have a problem with connection to a FTP server by non-standart port via a router with IOS-EX. Here is what I have at the ZBF rules:

parameter-map type inspect GLOBAL
 tcp finwait-time 10
 tcp synwait-time 20
 tcp max-incomplete host 300 block-time 1
 log dropped-packets

class-map type inspect match-any INSPECT_PROTOCOLS
  description ---- Global protocols to inspect via ZBF ----
 match protocol ftp
 match protocol icmp
 match protocol http
 match protocol https
 match protocol sip
 match protocol sip-tls
 match protocol udp
 match protocol tcp

class-map type inspect match-all C_PROHOBITED_ACTIVITY
  description ---- Traffic match for Access to Internet ----
 match class-map INSPECT_PROTOCOLS
 match access-group name ACL_PROHOBITED_ACTIVITY

class-map type inspect match-all C_From_Inet_to_Internal
  description ---- Traffic match for Access from Internet ----
 match access-group name ACL_From_Inet_to_Internal
 match class-map INSPECT_PROTOCOLS

policy-map type inspect P_PROHOBITED_ACTIVITY
 description ---- ZBF for Access to Internet ----
 class type inspect C_PROHOBITED_ACTIVITY
  inspect GLOBAL
 class class-default
  drop log


policy-map type inspect P_From_Inet_to_Internal
 description ---- ZBF for Access from Internet ----
 class type inspect C_From_Inet_to_Internal
  inspect GLOBAL
 class class-default
  drop log

#sh access-lists ACL_PROHOBITED_ACTIVITY
Extended IP access list ACL_PROHOBITED_ACTIVITY
    10 deny ip object-group Banned_2_Inet any
    20 permit ip any any

ip nat inside source list 110 interface Port-channel1 overload

Because of the non standart FTP port I used a command "ip port-map ftp port tcp 2021". But my host still can't transer data to/from a FTP server.

Connection to FTP server from a host

But there is no problem if I'm using a standart 21 port. Here is log from a fail connections:

sh policy-map type inspect zone-pair sessions | s <local host>
         Session ID 0x00105DEF (<local host>:2335)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:10:55, Last heard 00:10:36
          Bytes sent (initiator:responder) [77:290]
         Session ID 0x00105CE0 (<local host>:2055)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:14:05, Last heard 00:13:46
          Bytes sent (initiator:responder) [83:333]
         Session ID 0x00106290 (<local host>:3005)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:00:04, Last heard 00:00:02
          Bytes sent (initiator:responder) [86:333]
         Session ID 0x00105E46 (<local host>:2405)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:09:44, Last heard 00:09:22
          Bytes sent (initiator:responder) [78:290]
         Session ID 0x00106198 (<local host>:2819)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:02:29, Last heard 00:02:04
          Bytes sent (initiator:responder) [77:290]
         Session ID 0x00105AD2 (<local host>:1603)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:19:56, Last heard 00:19:31
          Bytes sent (initiator:responder) [77:290]
         Session ID 0x00105C79 (<local host>:1999)=>(<remote FTP (Internet)>:2021) ftp SIS_OPEN
          Created 00:15:12, Last heard 00:14:42
          Bytes sent (initiator:responder) [78:290]
        
         Session ID 0x00106291 (<remote FTP (Internet)>:0)=>(<local host>:3006) ftp-data SIS_PREGEN
          Created 00:00:03, Last heard 00:00:03
          Bytes sent (initiator:responder) [0:0]

sh ip nat tran | i <local host>
tcp  <external router IP>:5190    <local host>:3005     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp  <external router IP>:5152    <local host>:2819     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp  <external router IP>:5154    <local host>:2055     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp  <external router IP>:5157    <local host>:1999     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp  <external router IP>:5155    <local host>:1603     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp  <external router IP>:5124    <local host>:2335     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021
tcp  <external router IP>:5126    <local host>:2405     <remote FTP (Internet)>:2021    <remote FTP (Internet)>:2021

I also tryed to do this:

class-map type inspect match-all C_PROHOBITED_ACTIVITY
 no match class-map INSPECT_PROTOCOLS

But still no resaults.

So what else I can do to to make it work?

Best Regards.

3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

Hello; 

Is it possible for you to do the following? 

-Create an access-list matching tcp any any eq 2021 

-Create a class-map with match all, matching FTP and access-list (match-all) 

-Put to inspect. 

-Make sure the class is the first one on the policy it should hit. 

I remember the ip port mapping capability but I have never used it before other than for CBAC inspection. 

Let us know. 

Mike

Hello, Maykol Rojas.

Thank you very much for your interest to my case. In fact I already solved a problem.

Port-map works well. There was a problem at the end side (at the FTP server). Our FTP holder lied to me about FTP server working at the passive mode.

Best Regards.

That happens too.

Thanks for answering back, that would definitely help for me and other ppl in the community. 

Mike. 

Mike
Review Cisco Networking for a $25 gift card