cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1094
Views
10
Helpful
10
Replies

passive FTP problem CSS 11501

dalmada
Level 1
Level 1

Hi,

I am facing a problem configuring FTP servers behind CSS 11501 and I would apreciate your help.

The FTP service needs a GROUP, with the same VIP address as the CONTENT rule, configuration to work correctly. The problem is that I have already configured GROUPs for diferent VIPs that use the same hosts ip address as service, so when I try to add service to the FTP group I am not allowed (as expected). There are ways to overcome this problem? Using ACLs?

Thanks in advance.

David

10 Replies 10

Gilles Dufour
Cisco Employee
Cisco Employee

yes, you can use ACL to speficy when to use a group

ie:

group MyNat

vip x.x.x.x

active

!

acl 1

clause 10 permit ip x.x.x.x destination any sourcegroup MyNat

apply all

Thank you Gilles,

I am not well versed in CSS ACLs, but will I have to aplly it to every VLAN circuit? In such case any other traffic won't be blocked?

David

David,

if you apply it like this, nothing will work.

That's just an example.

You have to use similar entry in your existing acl and apply it on the appropriate interface.

Gilles.

Gilles,

In fact my question is:

if I apply a ACL to an VLAN circuit will I have to apply a ACL( may be otherelse) to the remaining VLANs? Otherwise the traffic is denied by default?

David

Yes.

You will need to apply ACL to all VLANs.

Syed

Hi,

The Security Configuration Guide states that

"If you are load-balancing passive FTP servers and you want to use an ACL to

apply a source group, you must configure services directly in the source group."

My problem is adding services to the FTP GROUP. I think in this case I have to:

1 - remove the services ( with corresponding IP address) from the original GROUPS

2 - Create ACLs for those original GROUPS ( and CIRCUITS)

3 - add services to FTP GROUP.

David

Still not working.

I did put ACLs, add services to the FTP group but sniffing the connection on both sides of CSS shows diferent passive ftp ports.

Here's my config:

circuit VLAN11

ip address 172.22.80.254 255.255.255.0

ip virtual-router 11 priority 150 preempt

ip redundant-interface 11 172.22.80.252

ip critical-service 11 upstream

ip critical-reporter 11 Physical_if_DOWN

ip critical-reporter 11 r1

circuit VLAN10

ip address 172.18.80.254 255.255.255.0

ip virtual-router 10 priority 150 preempt

ip redundant-vip 10 172.18.80.8

ip redundant-vip 10 172.18.80.5

ip redundant-vip 10 172.18.80.6

ip critical-service 10 upstream

ip critical-reporter 10 Physical_if_DOWN

ip critical-reporter 10 r1

service FTP_1

ip address 172.22.80.1

protocol tcp

port 21

keepalive type tcp

keepalive frequency 60

redundant-index 3

active

service FTP_2

ip address 172.22.80.2

protocol tcp

port 21

keepalive type tcp

keepalive frequency 60

redundant-index 4

active

content FTP_SERVICE

add service FTP_cvhp05

add service FTP_cvhp06

vip address 172.18.80.8

protocol tcp

port 21

application ftp-control

redundant-index 22

active

group FTP_server

vip address 172.18.80.8

add service FTP_1

add service FTP_2

redundant-index 33

active

group OUT_cv1

vip address 172.18.80.5

redundant-index 31

active

group OUT_cv2

vip address 172.18.80.6

redundant-index 32

active

vip address 172.18.80.8

protocol tcp

port 21

application ftp-control

redundant-index 22

active

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN10)

acl 2

clause 10 permit any 172.22.80.1 destination 172.18.80.0 255.255.255.0 sourcegroup OUT_cv1

clause 11 permit any 172.22.80.2 destination 172.18.80.0 255.255.255.0 sourcegroup OUT_cv2

clause 15 permit tcp any destination any sourcegroup FTP_server

clause 20 permit any any destination any

apply circuit-(VLAN11)

Thanks in advance

david

the names cvhp05 and cvhp06 are replaced by cv1 and cv2.

Hi,

I am stuck in it.

Does the CSS always translates the port specified bye the FTP server after it receives a PASV command?

My ftp server works but the CSS translates the ports wich cause my router to drop the connection.

Thank you for your help

David

Solved.

I had to change the default por settings on the Group config to ones expected on the client side.

Thank you all for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: