10-17-2007 03:27 AM
Hi,
I am facing a problem configuring FTP servers behind CSS 11501 and I would apreciate your help.
The FTP service needs a GROUP, with the same VIP address as the CONTENT rule, configuration to work correctly. The problem is that I have already configured GROUPs for diferent VIPs that use the same hosts ip address as service, so when I try to add service to the FTP group I am not allowed (as expected). There are ways to overcome this problem? Using ACLs?
Thanks in advance.
David
10-17-2007 04:17 AM
yes, you can use ACL to speficy when to use a group
ie:
group MyNat
vip x.x.x.x
active
!
acl 1
clause 10 permit ip x.x.x.x destination any sourcegroup MyNat
apply all
10-17-2007 05:02 AM
Thank you Gilles,
I am not well versed in CSS ACLs, but will I have to aplly it to every VLAN circuit? In such case any other traffic won't be blocked?
David
10-17-2007 07:13 AM
David,
if you apply it like this, nothing will work.
That's just an example.
You have to use similar entry in your existing acl and apply it on the appropriate interface.
Gilles.
10-17-2007 08:11 AM
Gilles,
In fact my question is:
if I apply a ACL to an VLAN circuit will I have to apply a ACL( may be otherelse) to the remaining VLANs? Otherwise the traffic is denied by default?
David
10-17-2007 09:07 AM
Yes.
You will need to apply ACL to all VLANs.
Syed
10-18-2007 04:25 AM
Hi,
The Security Configuration Guide states that
"If you are load-balancing passive FTP servers and you want to use an ACL to
apply a source group, you must configure services directly in the source group."
My problem is adding services to the FTP GROUP. I think in this case I have to:
1 - remove the services ( with corresponding IP address) from the original GROUPS
2 - Create ACLs for those original GROUPS ( and CIRCUITS)
3 - add services to FTP GROUP.
David
10-18-2007 09:03 AM
Still not working.
I did put ACLs, add services to the FTP group but sniffing the connection on both sides of CSS shows diferent passive ftp ports.
Here's my config:
circuit VLAN11
ip address 172.22.80.254 255.255.255.0
ip virtual-router 11 priority 150 preempt
ip redundant-interface 11 172.22.80.252
ip critical-service 11 upstream
ip critical-reporter 11 Physical_if_DOWN
ip critical-reporter 11 r1
circuit VLAN10
ip address 172.18.80.254 255.255.255.0
ip virtual-router 10 priority 150 preempt
ip redundant-vip 10 172.18.80.8
ip redundant-vip 10 172.18.80.5
ip redundant-vip 10 172.18.80.6
ip critical-service 10 upstream
ip critical-reporter 10 Physical_if_DOWN
ip critical-reporter 10 r1
service FTP_1
ip address 172.22.80.1
protocol tcp
port 21
keepalive type tcp
keepalive frequency 60
redundant-index 3
active
service FTP_2
ip address 172.22.80.2
protocol tcp
port 21
keepalive type tcp
keepalive frequency 60
redundant-index 4
active
content FTP_SERVICE
add service FTP_cvhp05
add service FTP_cvhp06
vip address 172.18.80.8
protocol tcp
port 21
application ftp-control
redundant-index 22
active
group FTP_server
vip address 172.18.80.8
add service FTP_1
add service FTP_2
redundant-index 33
active
group OUT_cv1
vip address 172.18.80.5
redundant-index 31
active
group OUT_cv2
vip address 172.18.80.6
redundant-index 32
active
vip address 172.18.80.8
protocol tcp
port 21
application ftp-control
redundant-index 22
active
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN10)
acl 2
clause 10 permit any 172.22.80.1 destination 172.18.80.0 255.255.255.0 sourcegroup OUT_cv1
clause 11 permit any 172.22.80.2 destination 172.18.80.0 255.255.255.0 sourcegroup OUT_cv2
clause 15 permit tcp any destination any sourcegroup FTP_server
clause 20 permit any any destination any
apply circuit-(VLAN11)
Thanks in advance
david
10-18-2007 09:05 AM
the names cvhp05 and cvhp06 are replaced by cv1 and cv2.
10-19-2007 07:22 AM
Hi,
I am stuck in it.
Does the CSS always translates the port specified bye the FTP server after it receives a PASV command?
My ftp server works but the CSS translates the ports wich cause my router to drop the connection.
Thank you for your help
David
10-24-2007 04:11 AM
Solved.
I had to change the default por settings on the Group config to ones expected on the client side.
Thank you all for your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: