Re: PBR and FTP protocol

CHARALAMPOS TRIANTAFYLLIDIS · ‎12-20-2010

Hi,

We have a 2911 Cisco router with two ADSL interfaces (two Dialers). In Dialer1 we have a site-to-site VPN connection with another cisco router in a different site.

In dialer0 we have configured a policy based routing for internet feed (http, https, dns).

Default route uses Dialer1.

We want the ftp protocol to use the Dialer0 connection.

We have changed the access-list that used by our route-map so that contains ftp and ftp-data protocol but we can not use the ftp.

Is there something else that we must do?

The router's config:

interface GigabitEthernet0/0

ip address 192.168.2.241 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map INTERNET_MAP

duplex auto

speed auto

interface Dialer0

ip address x.y.z.w 255.255.255.0

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

interface Dialer1

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 2

dialer-group 2

ip nat inside source route-map INTERNET_MAP interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended INTERNET_LIST

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit udp any any eq domain

permit tcp any any eq pop3

permit tcp any any eq smtp

permit tcp any any eq ftp

permit tcp any any eq ftp-data

route-map INTERNET_MAP permit 10

match ip address INTERNET_LIST

set interface Dialer0

lgijssel · ‎12-20-2010

There is no route for interface dialer 0.

regards,

Leo

CHARALAMPOS TRIANTAFYLLIDIS · ‎12-20-2010

What do we have to type?

ip route 0.0.0.0 0.0.0.0 Dialer0 20

will solve the problem?

This will not interrupt the VPN?

Thanks.

Richard Burts · ‎12-20-2010

I do not share the opinion of my colleague Leo that you need a default route for dialer 0. If you have the router set up with a default route using dialer 1, and if you do not intend to provide failover capability to use dialer 0 if dialer 1 has a problem (which is not indicated in your post) then I believe that having PBR send traffic to dialer 0 is sufficient.

I am not comfortable using the same route map for PBR and for NAT as is shown in the config posted. I would prefer to see a separate route map for PBR and a map for NAT. I wonder if there is some issue between the NAT for dialer 0 and the NAT for dialer 1 (assuming that there is NAT for dialer 1). Perhaps you could post a more complete version of the config that has both dialer and all NAT related configuration?

HTH

Rick

HTH

Rick

CHARALAMPOS TRIANTAFYLLIDIS · ‎12-21-2010

I found that when ftp uses passive mode the ports that

will be used are dynamic ports and they have been negotiated between client and server.

Probably this is the problem but what is the way to overcome this?

Whqat do I have to put in the access-list without disturbing the VPN?

Thanks

lgijssel · ‎12-21-2010

This is the difference between active and passive ftp.

With passive ftp, the client negotiates the port to use and hence it will always be open on the fw.

It is also the reason why passive ftp is recommended in todays environments with numerous firewalls.

So, when it works using passive mode there is no reason to modify anything on your network components.

Using active ftp must be discouraged because it is so much harder to secure.

regards,

Leo

CHARALAMPOS TRIANTAFYLLIDIS · ‎12-22-2010

So, why ftp is not working from our network?

Is something missing in our config?

Something that we must add to PBR?

Thanks

lgijssel · ‎12-22-2010

Q. Why does active FTP work with static and extended port forwarding, but not with PAT?

A. The reason is that when you open up the FTP connection you connect to port 21 at the remote FTP server. But when you do a "ls", "put", get", or anything that needs to use a data port, the server opens up another connection back to the client. When you open your original FTP connection from the inside and the router pretends that you are a specific outside IP, and picks a random port number to use, the FTP server thinks it is talking to that IP address and that port number. Therefore, when it needs to open up the data connection back, due to the "get" or "ls", it attempts to open a TCP connection from port 20 to a random port that the server decides. While on the outside IP it thinks it is talking to, the router hears traffic directed at its outside IP, but does not have any PAT mapping for that random port number that the server picked. Therefore, it does not know that this traffic is supposed to go back to the client.

The port 20 never gets established. The fix is to use "passive FTP" mode. Passive FTP has the client open both port 21 and port 20 connections from the start. The router knows about both of them rather than just port 21, and allows the server to open port 20.

Refer to Analysis of the File Transfer Protocol (FTP) for more information on FTP.

You need extended translations for port 20 and 21 with static mappings (example address)

ip nat inside source static tcp 192.168.0.4 20 66.46.64.82 20 extendable

ip nat inside source static tcp 192.168.0.4 21 66.46.64.82 21 extendable

The way that active FTP works does not allow for the use of dynamic NAT. Only static NAT can be used in this case. This is a limitation of FTP.

Alternatively, you can choose to policy-route all traffic for hosts accessing ftp via dialer0.

regards,

Leo