10-20-2006 02:18 PM - edited 03-09-2019 04:37 PM
I am trying to configure or find out why ftp passive outbound is not working, what can I check to verify my configuration? I am tryning to provide a subnet ftp access and passive ftp on a fwsm.
thanks,
10-20-2006 08:44 PM
If you are running newer code, do you have a command "inspect ftp" or if it is older do you have "fixup ftp" enabled? I assume you are allowing inside host to outside host eq 21? Those should be the 2 key steps.
-Eric
Please remember to rate all helpful posts.
10-21-2006 06:52 AM
I am running 2.3(4) code on my FWSM, fixup ftp is enabled. I want to be able to allow any and all host out bound to the internet for ftp active and passive ftp.
I permited the a subnet of systems to be able to ftp out but when the passive session occurs it fails, any ideas. here is the the acl and the object group below.
object-group service INET-ACCESS-UDP udp
port-object eq ntp
port-object eq www
port-object eq 4043
port-object eq 5700
port-object eq 7896
port-object range 1024 65535
port-object eq 21
port-object range 1023 65535
access-list INSIDE extended permit udp 10.241.136.0 255.255.255.0 any object-group INET-ACCESS-UDP
10-21-2006 07:00 AM
Ok, there's the issue. FTP is actually TCP, so if you add a rule allowing tcp any any eq ftp you should be ok.
-Eric
Please remember to rate all helpful posts.
10-21-2006 07:07 AM
So I can add the following
access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 eq ftp any?
10-21-2006 07:11 AM
Exactly. give it a shot and let us know.
-Eric
10-21-2006 12:34 PM
Eric,
No luck, I tried to ftp to a site and that works but when I try to perform any command like get, dir or ls I receive a message that says the command is not allowed and the sessions dies.
Gerry
10-22-2006 05:09 AM
hi guys,
I think there is a mistake in the access-list
access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 eq ftp any?
it should be:
access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 any eq ftp?
very easy to overlook, must admit :)
it will then work I am sure, if ftp inspection is configured it will create a dynamic opening in this inbound access list for the data channel from the client to server (in PFTP)
Let us know if it works
10-22-2006 07:24 AM
Rafal is exactly correct. Sorry I overlooked that mixup yesterday.
- Eric
10-22-2006 07:50 AM
Sorry but when I enterd the acl in the forum I actualy have it correct in the fwsm and it still does not work
access-list INSIDE extended permit tcp 10.241.136.0 255.255.255.0 any eq ftp
any ideas?
Gerry
10-22-2006 07:54 AM
Here is the INSIDE ACL
access-list INSIDE extended permit icmp any any object-group ICMP
access-list INSIDE extended permit ip object-group BACKEND-ACCESS-TO-PUB object-group PUB-SEGMENT
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group SMTP-BRIDGEHEADS eq smtp
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group PUB-DNS-FORWARD eq domain
access-list INSIDE extended permit udp 10.0.0.0 255.0.0.0 object-group PUB-DNS-FORWARD eq domain
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 10.0.32.0 255.255.252.0 object-group WEB-SERVICES
access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq tftp
access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 139.61.142.0 255.255.255.0 eq tftp
access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq snmptrap
access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq syslog
access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.13.0 255.255.255.0 eq telnet
access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.13.0 255.255.255.0 eq ssh
access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.36.0 255.255.252.0 eq 3389
access-list INSIDE extended permit tcp 10.0.40.0 255.255.255.0 10.0.36.0 255.255.252.0 object-group SAN-IN
access-list INSIDE extended permit tcp 10.0.20.0 255.255.252.0 any eq 4043
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 10.0.38.0 255.255.255.0 eq smtp
access-list INSIDE extended permit udp 10.0.22.0 255.255.255.0 139.61.142.0 255.255.255.0 eq snmptrap
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group AUTH-SERVERS eq tacacs
access-list INSIDE extended permit udp 10.0.0.0 255.0.0.0 any object-group INET-ACCESS-UDP
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INET-ACCESS
access-list INSIDE extended permit ip 10.1.0.0 255.255.0.0 any
access-list INSIDE extended permit tcp any 10.0.50.0 255.255.255.0 object-group ACCESS-TO-SECDMZ
access-list INSIDE extended permit tcp host 10.0.21.26 any
access-list INSIDE extended permit tcp any 10.0.40.0 255.255.255.0 object-group INET-ACCESS
access-list INSIDE extended permit udp 10.245.0.0 255.255.0.0 139.61.142.0 255.255.255.0 eq tftp
access-list INSIDE extended permit tcp 10.241.136.0 255.255.255.0 any eq ftp
10-22-2006 08:16 AM
To me everything is OK. what symptomps are you getting exactly? in one of the posts you said that you can connect but the commands are denied. That looks more like a server problem. if there was a problem with the firewall, you would be able to connect and execute the commands but you would not see the results if the data connection could not be established. For PFTP you would not even need fixup were it not for the INSIDE access list as both control and data connections are initiated by the client from the inside. (you could event take it off for a while to test it.
Is ftp fixup definately configured on the default port 21?
10-22-2006 08:23 AM
This is the message I receive when trying to ftp to ftp.cisco.com
550 Permission denied: PORT not allowed here
150 Opening ASCII mode data connection for file list
Gerry
10-22-2006 12:04 PM
something is very strange here
1. the server tells you that you are not allowed to use the PORT command, which you would not use in the passive mode anyway.
2. why wouldn't you be able to use LIST command in the public folder of ciso.ftp? No idea
3. as you can see the data connection is established. you can definately say that your firewall works fine is NOT a problem
It seems that for some reason you actually switch to active mode which uses PORT command to tell the server where to establish data connection to. I tried switching to active mode while connected and get the same error.
Make sure you are using PFTP and not trying to execute PORT command which cisco.ftp does not like :)
Rafal
10-22-2006 08:24 AM
When I try to ftp I just try executing ls, get or dir and I receive the message I sent you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide