Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5745
Views
14
Helpful
7
Replies

FTP server behind a Cisco 2811 with Firewall

Go to solution
phuong-le
Level 1
Level 1

‎03-11-2007 06:12 PM - edited ‎03-11-2019 02:44 AM

Hi,

I am a Cisco newbie, :). And I really need your help or direction. I am trying to setup a ftp server using Windows XP Pro. This server has a static local ip, and this local ip is Natted to a public IP on my router. The router has configuration with vpn, firewall... If I vpn in from the internet, I can connect, transfer data to my ftp server using the local ip without problems. But If I disconnect the vpn, and try to connect to the ftp server using the public IP, I can login without problem. However, if I try to list, transfer....data from/to my ftp server, it just hang on me. I guess there are something missing with my firewall configurations, and it just keep blocking the service. I did search a lot for did issue, but all I find is exactly what I have: nat the local ip to public, then grant access to ftp port and ftp-data port on the public ip. I am at loss now, and I am not sure where to start. Below is some config from my router and the problems when I am trying to connect to my ftp site using dos prompt. I thank you in advance. Any help or direction would be greatly appreciated.

partial configuration from Cisco 2811 router:

--------------------------------------

ip cef

ip port-map ftp port tcp 20

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp

ip inspect name FW h323

ip inspect name FW rcmd

ip inspect name FW realaudio

ip inspect name FW smtp

ip inspect name FW sqlnet

ip inspect name FW streamworks

ip inspect name FW tftp

ip inspect name FW vdolive

ip inspect name FW ftp

ip nat inside source static local.ftp.server.ip public.ip route-map t1-map

access-list 111 permit tcp any host public.ip eq ftp

access-list 111 permit tcp any host public.ip eq ftp-data

cisco2811#show ip port-map ftp

Default mapping: ftp tcp port 21 syste

m defined

Default mapping: ftp tcp port 20 user

defined

--------------------------------------

From Dos Prompt trying to connect to FTP Site

C:\>ftp public.ip

Connected to public.ip

220-Microsoft FTP Service

220 PTS FTP SITE

User (public.ip:(none)): user

331 Password required for user.

Password:

230-WELCOME TO PTS FTP SITE.

230 User user logged in.

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for file list.

425 Can't open data connection.

From Dos Prompt trying to connect to FTP Site with (quote PASV)

C:\>ftp public.ip

Connected to public.ip

220-Microsoft FTP Service

220 PTS FTP SITE

User (public.ip:(none)): user

331 Password required for user.

Password:

230-WELCOME TO PTS FTP SITE.

230 User user logged in.

ftp> quote PASV

227 Entering Passive Mode (public.ip,19,137).

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for file list.

425 Can't open data connection.

Labels:
Preview file
2 KB
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
chadlenox
Level 1
Level 1

‎03-22-2007 06:45 AM

Hi,

I actually have this same problem. I am trying to setup an FTP server behind our Cisco 2811 Firewall to allow our clients to transfer files to our server. The problem with using Active FTP is that if the client who is trying to connect to the FTP server is also behind a firewall, the connection will be blocked by their firewall. Of course when using Passive FTP, it gets blocked by our firewall.

Active FTP

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

? FTP server's port 21 from anywhere (Client initiates connection)

? FTP server's port 21 to ports > 1023 (Server responds to client's control port)

? FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)

? FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

? FTP server's port 21 from anywhere (Client initiates connection)

? FTP server's port 21 to ports > 1023 (Server responds to client's control port)

? FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)

? FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

Now, I realize that I can probably easily fix this problem by applying the following entries to our Firewall:

Permit tcp any host (External IP) eq ftp

Permit tcp any host (External IP) gt 1023

But the problem is this opens up thousands of ports to everyone. Is there way to avoid having to do this with the IOS Firewall?

View solution in original post

Go to solution
suschoud
Cisco Employee
Cisco Employee
In response to chadlenox

‎03-22-2007 07:57 AM

enable the inspection engine for ftp.

View solution in original post

Go to solution
chadlenox
Level 1
Level 1
In response to suschoud

‎03-22-2007 08:12 AM

Here's what I currently have configured on my router:

ip inspect name APP_FIREWALL ftp

ip nat inside source static tcp (Internal IP) 21 interface FastEthernet0/0 21

ip access-list extended FIREWALL

permit tcp any host (External IP) eq ftp

permit tcp any host (External IP) eq ftp-data

permit tcp any host (External IP) established

I'm using CoreFtp as the client, and I have tested this from home and it works if I set the client to use Active mode when it connects, but it does not work when I set the client to use Passive mode because the Firewall blocks the connection. The client is able to make the initial connection on port 21, however, when the client switches over to a random port, the firewall then blocks it.

View solution in original post

0 Helpful

Go to solution
suschoud
Cisco Employee
Cisco Employee
In response to chadlenox

‎03-22-2007 08:45 AM

for passive ftp,you would have to open up all the ports on the outside interface.

permit tcp any host (External IP)

View solution in original post

0 Helpful
7 Replies 7

Go to solution
fmeetz
Level 4
Level 4

‎03-16-2007 09:38 AM

Try to use active FTP , it may works. also check this bug-id:CSCsg37315, which related to IOS Firwall.

Go to solution
phuong-le
Level 1
Level 1
In response to fmeetz

‎03-20-2007 07:07 PM

Hi, Thank you for your response. How do I set active ftp in my router?

About the bug-id:CSCsg37315, I could find anything. Could you point out a link somewhere. Again, thank you for your reply.

PL

0 Helpful

Go to solution
chadlenox
Level 1
Level 1

‎03-22-2007 06:45 AM

Hi,

I actually have this same problem. I am trying to setup an FTP server behind our Cisco 2811 Firewall to allow our clients to transfer files to our server. The problem with using Active FTP is that if the client who is trying to connect to the FTP server is also behind a firewall, the connection will be blocked by their firewall. Of course when using Passive FTP, it gets blocked by our firewall.

Active FTP

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

? FTP server's port 21 from anywhere (Client initiates connection)

? FTP server's port 21 to ports > 1023 (Server responds to client's control port)

? FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)

? FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

? FTP server's port 21 from anywhere (Client initiates connection)

? FTP server's port 21 to ports > 1023 (Server responds to client's control port)

? FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)

? FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

Now, I realize that I can probably easily fix this problem by applying the following entries to our Firewall:

Permit tcp any host (External IP) eq ftp

Permit tcp any host (External IP) gt 1023

But the problem is this opens up thousands of ports to everyone. Is there way to avoid having to do this with the IOS Firewall?

Go to solution
suschoud
Cisco Employee
Cisco Employee
In response to chadlenox

‎03-22-2007 07:57 AM

enable the inspection engine for ftp.

Go to solution
chadlenox
Level 1
Level 1
In response to suschoud

‎03-22-2007 08:12 AM

Here's what I currently have configured on my router:

ip inspect name APP_FIREWALL ftp

ip nat inside source static tcp (Internal IP) 21 interface FastEthernet0/0 21

ip access-list extended FIREWALL

permit tcp any host (External IP) eq ftp

permit tcp any host (External IP) eq ftp-data

permit tcp any host (External IP) established

I'm using CoreFtp as the client, and I have tested this from home and it works if I set the client to use Active mode when it connects, but it does not work when I set the client to use Passive mode because the Firewall blocks the connection. The client is able to make the initial connection on port 21, however, when the client switches over to a random port, the firewall then blocks it.

0 Helpful

Go to solution
suschoud
Cisco Employee
Cisco Employee
In response to chadlenox

‎03-22-2007 08:45 AM

for passive ftp,you would have to open up all the ports on the outside interface.

permit tcp any host (External IP)

0 Helpful

Go to solution
phuong-le
Level 1
Level 1
In response to suschoud

‎04-16-2007 09:43 PM

Hi,

Thank you for all your helps. my server is running now. Again, you guys are the best. Thanks.

PL

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card