06-23-2011 07:52 AM - edited 03-04-2019 12:47 PM
Where can I find more information on the firewall portion of the 2951 ISR gen2 ?
I am having issues with dropped passive FTP traffic.
I can initiate a session, begin a transfer then it fails.
On the recieving FTP server or PC end you can see that a file was created but usually it is corrupt or empty.
06-23-2011 08:00 AM
Post config ?
06-24-2011 12:48 PM
Attached is the config I have been using to address the FTP issue.
The server at 69.xxx.xxx.21 is an active budirectional FTP server
The server at 69.xxx.xxx.19 only uses FTP to send data out.
##############################################################################################
HQ-Router-01#sh run
Building configuration...
Current configuration : 10636 bytes
!
! Last configuration change at 16:41:32 UTC Wed Jun 22 2011 by cbaranowski
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ-Router-01
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
!
!
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool Guest-Network
host 192.168.150.1 255.255.255.0
default-router 192.168.150.254
dns-server 66.180.xxx.xxx 64.238.xxx.xxx
!
!
ip domain name ACME.local
ip name-server 192.168.10.10
ip name-server 66.180.xxx.xxx
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM cuseeme
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM ntp
ip inspect name CCP_MEDIUM ftps
!
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
port-misuse im action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2951/K9 sn FTX1521AJP7
!
!
username user1
username user2
!
redundancy
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description xxxxxx WAN Acct-xxxx$ETH-WAN$$FW_OUTSIDE$
ip address 69.xxx.xxx.30 255.255.255.240
ip access-group 105 in
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip inspect CCP_MEDIUM out
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
ip flow ingress
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.1
description Management VLAN 1$FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.1.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description Core Network VLAN 10$FW_INSIDE$
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 102 in
ip helper-address 192.168.10.26
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.30
description guest-Network VLAN 300
encapsulation dot1Q 30
ip address 192.168.150.254 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
!
interface GigabitEthernet0/1.99
description Heartbeat VLAN 99
encapsulation dot1Q 99
ip address 10.10.0.254 255.255.255.0
ip access-group 104 in
ip flow ingress
!
interface GigabitEthernet0/2
no ip address
ip flow ingress
shutdown
duplex auto
speed auto
!
!
ip default-gateway 69.xx.xx.30
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static network 192.168.10.2 69.xx.xx.18 /32
ip nat inside source static network 192.168.10.15 69.xx.xx.19 /32
ip nat inside source static network 192.168.10.21 69.xx.xx.21 /32
ip nat inside source static network 192.168.10.44 69.xx.xx.21 /32
ip nat inside source static network 192.168.10.42 69.xx.xx.23 /32
ip nat inside source static network 192.168.10.43 69.xx.xx.24 /32
ip nat inside source static network 192.168.10.40 69.xxx.xxx.27 /32
ip nat inside source static network 192.168.10.41 69.xxx.xxx.28 /32
ip nat inside source static network 192.168.10.12 69.xxx.xxx.29 /32
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 69.xxx.xxx.17 permanent
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 deny ip 69.xxx.xxx.16 0.0.0.15 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any host 192.168.10.21 eq ftp-data
access-list 102 permit tcp any host 192.168.10.21 eq ftp
access-list 102 deny ip 69.xxx.xxx.16 0.0.0.15 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 102 permit tcp any host 192.168.10.19 eq ftp-data
access-list 102 permit tcp any host 192.168.10.19 eq ftp
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any host 69.xxx.xxx.18
access-list 103 permit udp any host 69.xxx.xxx.18
access-list 103 permit tcp any host 69.xxx.xxx.19
access-list 103 permit udp any host 69.xxx.xxx.19
access-list 103 permit tcp any host 69.xxx.xxx.21
access-list 103 permit udp any host 69.xxx.xxx.21
access-list 103 permit tcp any host 69.xxx.xxx.21
access-list 103 permit udp any host 69.xxx.xxx.21
access-list 103 permit tcp any host 69.xxx.xxx.23
access-list 103 permit udp any host 69.xxx.xxx.23
access-list 103 permit tcp any host 69.xxx.xxx.24
access-list 103 permit udp any host 69.xxx.xxx.24
access-list 103 permit tcp any host 69.xxx.xxx.26
access-list 103 permit udp any host 69.xxx.xxx.26
access-list 103 permit tcp any host 69.xxx.xxx.27
access-list 103 permit udp any host 69.xxx.xxx.27
access-list 103 permit tcp any host 69.xxx.xxx.28
access-list 103 permit udp any host 69.xxx.xxx.28
access-list 103 permit tcp any host 69.xxx.xxx.29
access-list 103 permit udp any host 69.xxx.xxx.29
access-list 103 permit udp any eq bootps any eq bootps
access-list 103 permit icmp any host 69.xxx.xxx.30 echo-reply
access-list 103 permit icmp any host 69.xxx.xxx.30 time-exceeded
access-list 103 permit icmp any host 69.xxx.xxx.30 unreachable
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark CCP_ACL Category=0
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp any host 69.xxx.xxx.18
access-list 105 permit tcp any host 69.xxx.xxx.18
access-list 105 permit ip any host 69.xxx.xxx.18
access-list 105 permit tcp any host 69.xxx.xxx.19 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.21 eq 3389
access-list 105 permit udp any host 69.xxx.xxx.21
access-list 105 permit tcp any host 69.xxx.xxx.21
access-list 105 permit tcp any host 69.xxx.xxx.21 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.23 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.24 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.27 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.28 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.29 eq 3389
access-list 105 permit tcp any host 69.xxx.xxx.29 eq smtp
access-list 105 permit tcp any host 69.xxx.xxx.29 eq 443
access-list 105 permit tcp any host 69.xxx.xxx.29 eq www
access-list 105 permit udp any eq bootps any eq bootps
access-list 105 permit icmp any host 69.xxx.xxx.30 echo-reply
access-list 105 permit icmp any host 69.xxx.xxx.30 time-exceeded
access-list 105 permit icmp any host 69.xxx.xxx.30 unreachable
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip 192.168.10.0 0.0.0.255 any
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 105 permit udp any host 69.xxx.xxx.19
access-list 105 permit tcp any host 69.xxx.xxx.19
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
transport output telnet
line aux 0
log
transport output telnet
line vty 0 4
password
login local
transport input telnet
transport output telnet
!
scheduler allocate 20000 1000
end
06-25-2011 01:38 AM
Remove all ip inspect and ip nbar commands.
apply ip flow (if needed) as ingress or egress only.
Since you have nat, you don't need ACL neither.
06-25-2011 11:02 AM
Hi,
Passive FTP is difficult to secure because the server can use any of a large number of ports for its data session. Seems we need to inspect the session initiated by the server as well. You can try this for testing.
Router(config)#ip inspect name InboundFTP ftp
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ip inspect InboundFTP in
HTH,
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide