cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3403
Views
5
Helpful
3
Replies

FTP on Non Standard Port with FTD 6.6

Hi,

 

    We'll be moving an application from an older ASA to FTD running 6.6 code.  This application uses non-standard FTP ports and I'm trying to understand if I have all the rules and policies correct on FTD.  I can't reliably test this with a server as this reaches out to a financial institution so go live is the first test I'll get.  Here's what I've done so far:

 

  1. Updated the Network Analysis Policy with the non-standard FTP port in the FTP & Telnet section and associated this with the ACP. 
  2. Created an Access Control rule with both FTP and FTP-Data selected in the application section as well as having the non-standard port defined in the Port section.  This is an allow rule.
  3. Have an IPS policy associated to the above rule so this gets pushed to the Snort section for inspection to hopefully create the necessary openings for return traffic.

 

Is there something that I'm missing prior to cut-over that anyone can see? I have run Packet-Tracer which states that this traffic will be allowed via this port, the NAT is in place etc. but of course it's the FTP-Data return that I'm worried about and can't test. 

 

Thanks,

 

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

If you configure to inspect FTP then you need to add class example :

 

https://community.cisco.com/t5/security-documents/how-to-configure-ftp-inspection-on-a-non-standard-port-in/ta-p/3112780

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

    Thanks for the response.    I see by the link that the configuration is excactly like the older ASA style Firewalls.  Are you saying that with FTD I need to add a policy like this via Flex-Config (as I believe that is the only way to change the "inspect" type policies)?  I was hoping that FTD's ability to inspect applications as well as Snort for the added intelligence that adding class-maps and inspect policies like the older ASA code was no longer required. 

 

Let me know if these ASA style configuration snippets are required on FTD and if they can only be applied via Flex-Config (as I can't see how to add these via native FMC).

 

Thanks!

I think you don't need to add the old fashion inspect FTP command on FTD. In FMC/FDM when you create the access control policy rule for FTP traffic, go to Applications tab, select FTP, FTP Data, and FTP Passive, don't specify any port, and finally enable IPS inspection on that rule. That should allow the FTD to pin in the dynamic ports required by FTP. However, please keep in mind that before the FTD could apply the right rule, it might need to learn the application by looking at some passing through packets. This might cause the first attempt to connect to the FTP server to fail if the FTP client timeout is aggressive, but the successive attempts should work just fine.

Review Cisco Networking for a $25 gift card