10-13-2006 08:40 PM - edited 03-09-2019 04:31 PM
I have a web and ftp server behing an 837 router.
I have three access-list statements:
access-list 120 permit tcp any host 100.x.x.x eq www
access-list 120 permit tcp any host 10.x.x.x eq ftp-data
access-list 120 permit tcp any host 100.x.x.x eq ftp
When I initiate an FTP session, the client shows it connects, but losts no data and hangs.
Removing both FTP statements above allows the client to connect?
Any ideas?
Thanks,
Kerry
10-14-2006 01:05 PM
Is this a typo error, or the existing config?
access-list 120 permit tcp any host 10.x.x.x eq ftp-data
access-list 120 permit tcp any host 100.x.x.x eq ftp
What I meant was the are there 2 different IPs - 10.x.x.x & 100.x.x.x? Opening tcp 20 & 21 should be sufficient to allow incoming ftp access.
Rgds,
AK
10-14-2006 08:19 PM
Hi,
Can you add the following ACE to list 120 and give it a try?
access-list 120 permit tcp any host 10.x.x.x gt 1023
Passive FTP requires the client to use a tcp port gt 1023 requested by the server and you need to open up those ports for successful file transfer.
HTH
Sundar
10-15-2006 03:45 AM
How about using inspection (stateful firewall)?
Normally it is enabled for outgoing traffic but you can apply it for inbound. Router should monitor the control connection and dynamically open the data ports (both for passive and standard FTP)
sample config
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW ftp
access-list 100 permit tcp any host 10.1.1.1 eq 21
int dialer0 (or any outside interface)
ip inspect FW in
ip access-group 100 in
You still need to open the control connection port 21 but only this port as other ports will be dynamically open.
I hope this helps, please let me know
10-21-2006 05:54 PM
The stateful firewall solution works great!
Thanks.
Is there a way to log/check what traffic is getting through/attempted the firewall?
is enableing syslog the best solution?
10-22-2006 02:23 AM
That's great!!
Well, it depends on what you want to do. if you just want to see the packets blocked by your firewall, the inbound access-list, you just add the deny ip any any log at the end and log the traffic to syslog server. you will see a lot of traffic like ping sweeps, etc.
But to see if somebody is actually trying to launch the attack you will have to enable IPS (intrusion prevention) and log this info.
But do not expect miracles with the router. with 64 MB RAM, you will be able to apply relatively few attack signatures, you could upgrade it to 128 and it will be much better. you then download sdf file to your flash and use the command
no ip ips sdf builtin (to disable the signatures that come with the IOS)
ip ips sdf location flash:/...
you enable IPS in a simmilar way as you did inspection
ip ips name ips_rule
int dialer1
ip ips ips_rule in
Even if you have only 64 MB of Ram it is still worth doing (you paid for it when you bought the router :).
The sdf file you need to download to your flash then is attack-drop.sdf which contains limited number of signatures optimized for the amount of Ram.
Good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide