11-25-2003 12:01 PM - edited 03-09-2019 05:39 AM
I'm trying to FTP using SSL. I am aware that this can not work through the PIX, so I am trying to connect to an FTP server (not maintained by us) over the Internet from a box that is outside our PIX and I still can't connect using SSL/FTP. My question now is, do Cisco routers support this?
I'm not doing any kind of NAT on our perimeter router, but I do have a pretty extensive ACL on it. Someone else configured this ACL for us, and I'm still kind of new with this, but can someone tell me if anything in this ACL would stop SSL/FTP from not working?
Here it is:
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 7.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny udp any any eq 1
access-list 100 deny udp any any eq 5
access-list 100 deny udp any any eq echo
access-list 100 deny udp any any eq discard
access-list 100 deny udp any any eq 13
access-list 100 deny udp any any eq 17
access-list 100 deny udp any any eq 18
access-list 100 deny udp any any eq 19
access-list 100 deny udp any any eq bootpc
access-list 100 deny udp any any eq tftp
access-list 100 deny udp any any eq sunrpc
access-list 100 deny tcp any any eq 135
access-list 100 deny udp any any range netbios-ns netbios-ss
access-list 100 deny udp any any eq snmp log
access-list 100 deny udp any any eq snmptrap
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq 445
access-list 100 deny tcp any any eq 593
access-list 100 deny udp any any eq 593
access-list 100 deny tcp any any range exec cmd
access-list 100 deny udp any any eq who
access-list 100 deny udp any any eq talk
access-list 100 deny udp any any eq 1434
access-list 100 deny tcp any any eq 1434
access-list 100 permit tcp any any established
access-list 100 permit tcp any host 216.27.x.x gt 1023
access-list 100 deny tcp any any eq 3372
access-list 100 deny tcp any any eq 2049
access-list 100 deny udp any any eq 2049
access-list 100 deny tcp any any eq 4045
access-list 100 deny udp any any eq 4045
access-list 100 deny tcp any any eq 12345 log
access-list 100 deny udp any any eq 12345 log
access-list 100 deny tcp any any eq 27374 log
access-list 100 deny udp any any eq 27374 log
access-list 100 deny tcp any any eq 31337 log
access-list 100 deny udp any any eq 31337 log
access-list 100 deny tcp any any eq 31338 log
access-list 100 deny udp any any eq 31338 log
access-list 100 deny tcp any any eq 65000 log
access-list 100 deny udp any any eq 65000 log
access-list 100 permit udp any host 216.27.x.x eq domain
access-list 100 permit udp any any eq isakmp log
access-list 100 permit gre any any log
access-list 100 permit esp any any log
access-list 100 permit ahp any any log
access-list 100 permit tcp any any eq ident
access-list 100 permit udp any any eq 1701 log
access-list 100 permit tcp any any eq 1701 log
access-list 100 permit udp any any eq 1723 log
access-list 100 permit tcp any any eq 1723 log
access-list 100 permit tcp any any eq 709 log
access-list 100 permit tcp any any eq 389 log
access-list 100 permit tcp any any eq 5080 log
access-list 100 permit tcp any host 216.27.x.x eq smtp
access-list 100 permit tcp any host 216.27.x.x eq 443
access-list 100 permit tcp any host 216.27.x.x eq www
access-list 100 permit icmp any any echo-reply
access-list 100 permit udp any any eq domain
access-list 100 deny ip any any
!
line con 0
transport input none
line aux 0
line vty 0 4
access-class 1 in
password xxxxx
login
!
no scheduler allocate
end
Thanks.
11-25-2003 12:44 PM
Are you using CBAC or anything else that will inspect the outbound traffic and open up a dynamic hole for the return traffic in your ACL? If not, then the very last line in this ACL is probably what is getting you. You are probably going to run into the same issue on the router as with the PIX but you can probably get around it on the router by just opening a huge hole to allow anything to the machine in question. Something like this:
access-list 100 permit ip any host A.B.C.D
Again, this is a wide open hole to this host but it should work in a non NAT setup if absolutely necessary. Good luck.
Scott
11-25-2003 12:52 PM
Okay, now I'm getting really confused. I installed WS_FTP on a machine outside the firewall (as I stated in original post) and even a regular FTP session won't work. However, a regular FTP session WILL work from a machine inside the firewall. What is going on?
11-25-2003 02:28 PM
I am guessing that 216.27.x.x is the PAT address on your PIX? If so, this is how it is working:
access-list 100 permit tcp any host 216.27.x.x gt 1023
As I am sure you already know, this is terribly insecure. You may want to look at adding CBAC (Content Based Access Control) to your external router instead of opening huge holes such as this.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide