Allowing only Passive FTP through the Pix 7.x firewall

daviddtran · ‎02-24-2007

Linux_FTP_Server---(DMZ)Pix(ExTERNAL)---Linux_FTP_client

Pix is running version 7.2(2).

DB has priority of 70. EXTERNAL has priority of 0.

Pix DB interface IP is 10.102.160.19/28

Pix EXTERNAL interface IP is 192.168.1.4/24

Linux_FTP_Server is 10.102.160.20

Linux_FTP_client is 192.168.1.1

Linux_FTP_Server is running both "Active" and "Passive" FTP mode.

Linux_FTP_Server is being NATted by the pix:

static (DMZ,EXTERNAL) 192.168.1.20 10.102.160.20 net 255.255.255.255

Keep in mind that the customer does NOT want to make any changes

to the Linux_FTP_Server. It is not my decision.

They want me to configure the Pix firewall so that the pix will

allow only "passive" ftp from the Linux_FTP_client to the

Linux_FTP_Server. NO Active ftp is allowed between the Linux_FTP_client

and the Linux_FTP_Server.

here is my config, just for testing purposes:

ftp mode passive

no fixup protocol ftp 21

static (DMZ,EXTERNAL) 192.168.1.20 10.102.160.20 net 255.255.255.255

access-list External permit icmp any any log

access-list External permit tcp any any eq 21 log

access-list External permit tcp any any gt 1024 log

access-list DMZ permit icmp any any log

access-list DMZ deny tcp any eq 20 any gt 1024 log

access-list DMZ permit ip any any log

access-group External in interface EXTERNAL

access-group DMZ in interface DMZ

Here is the output from the Linux_FTP_client. As you can see,

I can login fine but as soon as I type "ls", the connection

hangs. I suspect that because I turned off ftp fixup:

Linux_FTP_client[admin]# ftp 192.168.1.20

Connected to 192.168.1.20.

220 (vsFTPd 1.1.3)

Name (192.168.1.20:admin): anonymous

331 Please specify the password.

Password:

230 Login successful. Have fun.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode off.

ftp> hash

Hash mark printing on (1024 bytes/hash mark).

ftp> passive

Passive mode on.

ftp> ls

227 Entering Passive Mode (10,102,160,20,4,222)

CiscoPix(config)# sh access-list External

access-list External; 3 elements

access-list External line 1 extended permit icmp any any log informational interval 300 (hitcnt=2) 0xa53e0e51

access-list External line 2 extended permit tcp any any eq ftp log informational interval 300 (hitcnt=8) 0x6a1b47d7

access-list External line 3 extended permit tcp any any gt 1024 log informational interval 300 (hitcnt=13) 0xfe0778b4

CiscoPix(config)#

Does anyone know how to configure the Pix 7.x code to allow only "passive" ftp

through the firewall with static NAT? It seems to me that the pix firewall is

incapable of doing this.

Any ideas anyone? Thanks.

David

ROBERTO TACCON · ‎02-25-2007

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080640337.html#wp1234738

If you disable FTP inspection engines with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

daviddtran · ‎02-25-2007

hi r.taccon,

I am not interested in outbound ftp connections.

I am only interested in inbound ftp connections. This FTP server accepts inbound

connections from other users over the Internet.

Is this possible with Pix 7.x or Pix in general

when static NAT is involved?

I come from Checkpoint and Juniper/Netscreen

environments and I take these things for granted

until I deal with Cisco Pix.

Thanks.

David

jgervia_2 · ‎02-25-2007

Hello,

Your problem is that in order for the pix to nat the port OR passive command, the inspect/fixup for ftp has to be on.

From your output:

227 Entering Passive Mode (10,102,160,20,4,222)

the first 4 numbers there are the IP address it sees for the port command. As you can see, it's the 10.x address, not the nat address needed to the communication can work.

So turning on the inpect/fixup fixes that issue. However, once the fixup is on, active ftp is allowed as well. The only way to block active ftp from the server would be to deny it's ability to initiate connections to anything greater than or equal to port 1024 (which seems to be what you've done in your DMZ access-list, though you may want to make it from all ports rather than just a source port of 20 to be absolutely certain, and change it to be gt 1023).

--Jason

Please rate this message if it helps solve some or all of your issue/question

jgervia_2 · ‎02-25-2007

On second thought, the ACL may not block it - the inspect may create an entry in the state table before the ACL is checked and allow active ftp through.

--Jason

daviddtran · ‎02-25-2007

Jason,

So what is the solution? I can not believe

I have an expensive Pix firewall that can not

do a simple task like this one.

Without static NAT in place, I can allow

only passive FTP through the pix firewall. In

other words, if I just route traffics through

the firewall, it will work like this:

no fixup protocol ftp 21

access-list out permit icmp any any log

access-list out permit tcp any any eq 21 log

access-list out permit tcp any any gt 1024 log

access-list in permit icmp any any log

access-list in deny tcp any eq 20 any log

access-list in permit ip any any log

access-group out in interface outside

access-group in in interface inside

However, since I am static NAT the ftp server,

this configuration does not serve me any good.

Anymore ideas? Thanks.

David