2951 ISR Firewall

chris baranowski · ‎06-23-2011

Where can I find more information on the firewall portion of the 2951 ISR gen2 ?

I am having issues with dropped passive FTP traffic.

I can initiate a session, begin a transfer then it fails.

On the recieving FTP server or PC end you can see that a file was created but usually it is corrupt or empty.

paolo bevilacqua · ‎06-23-2011

Post config ?

chris baranowski · ‎06-24-2011

Attached is the config I have been using to address the FTP issue.

The server at 69.xxx.xxx.21 is an active budirectional FTP server

The server at 69.xxx.xxx.19 only uses FTP to send data out.

##############################################################################################

HQ-Router-01#sh run
Building configuration...

Current configuration : 10636 bytes
!
! Last configuration change at 16:41:32 UTC Wed Jun 22 2011 by cbaranowski
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ-Router-01
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
!
!
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool Guest-Network
   host 192.168.150.1 255.255.255.0
   default-router 192.168.150.254
   dns-server 66.180.xxx.xxx 64.238.xxx.xxx
!
!
ip domain name ACME.local
ip name-server 192.168.10.10
ip name-server 66.180.xxx.xxx
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM cuseeme
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM ntp
ip inspect name CCP_MEDIUM ftps
!
appfw policy-name CCP_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
application http
    port-misuse im action reset alarm
    port-misuse tunneling action reset alarm
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2951/K9 sn FTX1521AJP7
!
!
username user1
username user2
!
redundancy
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description xxxxxx WAN Acct-xxxx$ETH-WAN$$FW_OUTSIDE$
ip address 69.xxx.xxx.30 255.255.255.240
ip access-group 105 in
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip inspect CCP_MEDIUM out
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
ip flow ingress
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.1
description Management VLAN 1$FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.1.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description Core Network VLAN 10$FW_INSIDE$
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 102 in
ip helper-address 192.168.10.26
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.30
description guest-Network VLAN 300
encapsulation dot1Q 30
ip address 192.168.150.254 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
!
interface GigabitEthernet0/1.99
description Heartbeat VLAN 99
encapsulation dot1Q 99
ip address 10.10.0.254 255.255.255.0
ip access-group 104 in
ip flow ingress
!
interface GigabitEthernet0/2
no ip address
ip flow ingress
shutdown
duplex auto
speed auto
!
!
ip default-gateway 69.xx.xx.30
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static network 192.168.10.2 69.xx.xx.18 /32
ip nat inside source static network 192.168.10.15 69.xx.xx.19 /32
ip nat inside source static network 192.168.10.21 69.xx.xx.21 /32
ip nat inside source static network 192.168.10.44 69.xx.xx.21 /32
ip nat inside source static network 192.168.10.42 69.xx.xx.23 /32
ip nat inside source static network 192.168.10.43 69.xx.xx.24 /32
ip nat inside source static network 192.168.10.40 69.xxx.xxx.27 /32
ip nat inside source static network 192.168.10.41 69.xxx.xxx.28 /32
ip nat inside source static network 192.168.10.12 69.xxx.xxx.29 /32
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 69.xxx.xxx.17 permanent
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255

access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 deny   ip 69.xxx.xxx.16 0.0.0.15 any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any

access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any host 192.168.10.21 eq ftp-data
access-list 102 permit tcp any host 192.168.10.21 eq ftp
access-list 102 deny   ip 69.xxx.xxx.16 0.0.0.15 any
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 102 permit tcp any host 192.168.10.19 eq ftp-data
access-list 102 permit tcp any host 192.168.10.19 eq ftp

access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any host 69.xxx.xxx.18
access-list 103 permit udp any host 69.xxx.xxx.18
access-list 103 permit tcp any host 69.xxx.xxx.19
access-list 103 permit udp any host 69.xxx.xxx.19
access-list 103 permit tcp any host 69.xxx.xxx.21
access-list 103 permit udp any host 69.xxx.xxx.21
access-list 103 permit tcp any host 69.xxx.xxx.21
access-list 103 permit udp any host 69.xxx.xxx.21
access-list 103 permit tcp any host 69.xxx.xxx.23
access-list 103 permit udp any host 69.xxx.xxx.23
access-list 103 permit tcp any host 69.xxx.xxx.24
access-list 103 permit udp any host 69.xxx.xxx.24
access-list 103 permit tcp any host 69.xxx.xxx.26
access-list 103 permit udp any host 69.xxx.xxx.26
access-list 103 permit tcp any host 69.xxx.xxx.27
access-list 103 permit udp any host 69.xxx.xxx.27
access-list 103 permit tcp any host 69.xxx.xxx.28
access-list 103 permit udp any host 69.xxx.xxx.28
access-list 103 permit tcp any host 69.xxx.xxx.29
access-list 103 permit udp any host 69.xxx.xxx.29
access-list 103 permit udp any eq bootps any eq bootps
access-list 103 permit icmp any host 69.xxx.xxx.30 echo-reply
access-list 103 permit icmp any host 69.xxx.xxx.30 time-exceeded
access-list 103 permit icmp any host 69.xxx.xxx.30 unreachable
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip 192.168.10.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log

access-list 104 remark CCP_ACL Category=0

access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp any host 69.xxx.xxx.18
access-list 105 permit tcp any host 69.xxx.xxx.18
access-list 105 permit ip any host 69.xxx.xxx.18
access-list 105 permit tcp any host 69.xxx.xxx.19 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.21 eq 3389
access-list 105 permit udp any host 69.xxx.xxx.21
access-list 105 permit tcp any host 69.xxx.xxx.21
access-list 105 permit tcp any host 69.xxx.xxx.21 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.23 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.24 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.27 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.28 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.29 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.29 eq smtp
access-list 105 permit tcp any host 69.xxx.xxx.29 eq 443
access-list 105 permit tcp any host 69.xxx.xxx.29 eq www
access-list 105 permit udp any eq bootps any eq bootps
access-list 105 permit icmp any host 69.xxx.xxx.30 echo-reply
access-list 105 permit icmp any host 69.xxx.xxx.30 time-exceeded
access-list 105 permit icmp any host 69.xxx.xxx.30 unreachable
access-list 105 deny   ip 192.168.1.0 0.0.0.255 any
access-list 105 deny   ip 192.168.10.0 0.0.0.255 any
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 105 permit udp any host 69.xxx.xxx.19
access-list 105 permit tcp any host 69.xxx.xxx.19

dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
transport output telnet
line aux 0
log
transport output telnet
line vty 0 4
password
login local
transport input telnet
transport output telnet
!
scheduler allocate 20000 1000
end

paolo bevilacqua · ‎06-25-2011

Remove all ip inspect and ip nbar commands.

apply ip flow (if needed) as ingress or egress only.

Since you have nat, you don't need ACL neither.

Thotsaphon Lueangwattanaphong · ‎06-25-2011

Hi,

Passive FTP is difficult to secure because the server can use any of a large number of ports for its data session. Seems we need to inspect the session initiated by the server as well. You can try this for testing.

       
Router(config)#ip inspect name InboundFTP ftp
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ip inspect InboundFTP in


HTH,
Toshi