Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
5
Replies

Cannot FTP to server behind 837

k.moser
Level 1
Level 1

‎10-13-2006 08:40 PM - edited ‎03-09-2019 04:31 PM

I have a web and ftp server behing an 837 router.

I have three access-list statements:

access-list 120 permit tcp any host 100.x.x.x eq www

access-list 120 permit tcp any host 10.x.x.x eq ftp-data

access-list 120 permit tcp any host 100.x.x.x eq ftp

When I initiate an FTP session, the client shows it connects, but losts no data and hangs.

Removing both FTP statements above allows the client to connect?

Any ideas?

Thanks,

Kerry

Labels:
0 Helpful
5 Replies 5

a.kiprawih
Level 7
Level 7

‎10-14-2006 01:05 PM

Is this a typo error, or the existing config?

access-list 120 permit tcp any host 10.x.x.x eq ftp-data

access-list 120 permit tcp any host 100.x.x.x eq ftp

What I meant was the are there 2 different IPs - 10.x.x.x & 100.x.x.x? Opening tcp 20 & 21 should be sufficient to allow incoming ftp access.

Rgds,

AK

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to a.kiprawih

‎10-14-2006 08:19 PM

Hi,

Can you add the following ACE to list 120 and give it a try?

access-list 120 permit tcp any host 10.x.x.x gt 1023

Passive FTP requires the client to use a tcp port gt 1023 requested by the server and you need to open up those ports for successful file transfer.

HTH

Sundar

0 Helpful

rkazmierczak
Level 1
Level 1
In response to sundar.palaniappan

‎10-15-2006 03:45 AM

How about using inspection (stateful firewall)?

Normally it is enabled for outgoing traffic but you can apply it for inbound. Router should monitor the control connection and dynamically open the data ports (both for passive and standard FTP)

sample config

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW ftp

access-list 100 permit tcp any host 10.1.1.1 eq 21

int dialer0 (or any outside interface)

ip inspect FW in

ip access-group 100 in

You still need to open the control connection port 21 but only this port as other ports will be dynamically open.

I hope this helps, please let me know

0 Helpful

k.moser
Level 1
Level 1
In response to rkazmierczak

‎10-21-2006 05:54 PM

The stateful firewall solution works great!

Thanks.

Is there a way to log/check what traffic is getting through/attempted the firewall?

is enableing syslog the best solution?

0 Helpful

rkazmierczak
Level 1
Level 1
In response to k.moser

‎10-22-2006 02:23 AM

That's great!!

Well, it depends on what you want to do. if you just want to see the packets blocked by your firewall, the inbound access-list, you just add the deny ip any any log at the end and log the traffic to syslog server. you will see a lot of traffic like ping sweeps, etc.

But to see if somebody is actually trying to launch the attack you will have to enable IPS (intrusion prevention) and log this info.

But do not expect miracles with the router. with 64 MB RAM, you will be able to apply relatively few attack signatures, you could upgrade it to 128 and it will be much better. you then download sdf file to your flash and use the command

no ip ips sdf builtin (to disable the signatures that come with the IOS)

ip ips sdf location flash:/...

you enable IPS in a simmilar way as you did inspection

ip ips name ips_rule

int dialer1

ip ips ips_rule in

Even if you have only 64 MB of Ram it is still worth doing (you paid for it when you bought the router :).

The sdf file you need to download to your flash then is attack-drop.sdf which contains limited number of signatures optimized for the amount of Ram.

Good luck!

0 Helpful
Customers Also Viewed These Support Documents