ACL denies port 20 access to FTP server when FTP allowed

mbalasubramanian · ‎04-15-2004

Hi,

I have an acl and nat entry allowing port object ftp to FTP server in a sec zone 90...the acl specifies two source networks coming from sec zone 70 to the ftp server...the FTp works fine from one source,but from other source net whenever a client logs in to the FTP server its OK but as soon as he does a "Ls" or some commands..the session hangs,i see "deny to tcp port 20 using the same access list that allows Ftp" in the log.

Please advise on the problem

Help appreciated

ACL permit tcp network object group(combining two netids)host <ftpserver> eq ftp

it happens even if i split and list individual netids as source

Tahnks and regards

phillip.tyre · ‎04-15-2004

Some more information about what ios version, or pix version you are using. Also are you using ftp fixup protocols?

You might want to take at this fairly good article describing how FTP can use 2 ports, and the difference between active and passive ftp

http://slacksite.com/other/ftp.html

mbalasubramanian · ‎04-16-2004

Hi,

The pix version is 6.3(3),yes we are using ftp fixup.

The case being i am able to open a control session against the FTP server but as soon as i do a ls(data connection) the connection hangs,info denied to port 20 of ftp server (now this must be an ack/data to active ftp server).AS previously mentioned the acl which denies actualy allows source from two netids to destination ftp server in the high security zone

Please advise

regards

mbalasubramanian · ‎04-17-2004

Hi,

The ftp server is IIS

FTP client Chameleon

Please advise as there is a Fix up and the acl allows two netids grouped as network object in one acl statement to destination ftp server on eq ftp...it works without a problem and very erratically from the other netid..there are deny packets seen in the log (kiwi) from the other netid for tcp destination port 20.

PLease advise

Thanks and regards

bcarroll · ‎04-17-2004

there are a few things to look at here. Number 1 is the type of FTP that you are doing. What I'm refering to is Passive vs. Standard Mode FTP. Number 2 is the direction as seen by the PIX ASA, and third is the ACL.

The ACL should be permitting tcp from the source FTP client to the destination FTP server. I think you are saying that the source is defined by an object group and the object group has two FTP clients defined in it. Thats fine. The destination port should either be defined as FTP (port-object eq ftp, or eq 21.) You dont need to add port 20 as the fixup protocol will take care of that.

Now the Fixup protocol is going to do the following. Inbound for standard mode it's no going to do much. The data channel will establ;ish because the server is going to initiate the connection between a dynamic source port on the FTP client and port 20 on the server. If you are using passive mode FTP the server will not establish a data connection on port 20, rather a dynamic port is negotiaten in the command and control cahnnel on port 21. The fixup protocol will see the negotiation for passive mode, and the port numbers and dynamically allow the connection based on the information negotiated.

About the most help I could give you is that if you have the ACL set up, you are using the default ports for FTP (21) and you have the ftp fixup configured for the default, I would probably play with the FTP client and the mode it is in. If you are using Internet Explorer go to tools>internet options>advanced. You will see a check box for passive FTP.

Good Luck.

BC