What block FTP downloads on this config

Unanswered Question
Nov 21st, 2007

Hi,

We are not able to download files from an external/public FTP server. The following abreviated config from our Cisco 2621 perimeter router. Any suggestions would be appreciated.

Thanks. Said

memory-size iomem 25

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Serial tcp

ip inspect name Serial udp

ip inspect name Serial cuseeme

ip inspect name Serial ftp

ip inspect name Serial h323

ip inspect name Serial rcmd

ip inspect name Serial realaudio

ip inspect name Serial smtp

ip inspect name Serial streamworks

ip inspect name Serial vdolive

ip inspect name Serial sqlnet

ip inspect name Serial tftp

ip audit smtp spam 5

ip audit name -audit info action alarm

ip audit name -audit attack action alarm

interface FastEthernet0/0

ip address

no ip directed-broadcast

ip nat inside

no ip mroute-cache

duplex auto

speed auto

no cdp enable

interface Serial0/1

ip address

no ip directed-broadcast

ip nat inside

service-policy output POLICY1

no cdp enable

interface Async65

ip address

no ip directed-broadcast

ip nat inside

encapsulation ppp

keepalive 10

async mode interactive

ip nat pool NAT netmask

ip nat inside source route-map internet2 pool NAT overload

ip nat inside source static tcp extendable

ip nat inside source static 192.168.1.4

ip classless

ip route 0.0.0.0 0.0.0.0

ip route 10.1.1.0 255.255.255.0 192.168.1.10

ip route 10.5.5.0 255.255.255.0 192.168.1.10

ip route 10.6.6.0 255.255.255.0 192.168.1.10

ip route 10.9.9.0 255.255.255.0 192.168.1.10

ip route 10.9.10.0 255.255.255.0 192.168.1.10

ip route 10.10.10.0 255.255.255.0 192.168.1.10

ip route 10.100.100.0 255.255.255.0 192.168.1.10

ip route 172.16.0.0 255.255.0.0 172.16.2.2

ip route 172.16.1.0 255.255.255.0 172.16.2.2

ip route 172.16.5.0 255.255.255.0 207.213.196.5

ip route 172.16.6.0 255.255.255.0 207.213.196.5

ip route 192.168.0.0 255.255.255.0 192.168.1.10

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 103 permit tcp host host eq telnet

access-list 103 permit tcp host 10.199.249.220 host eq telnet

access-list 103 permit tcp host host eq telnet

access-list 103 permit tcp any host eq smtp log

access-list 103 permit tcp any host eq www

access-list 103 permit tcp any host eq 22 log

access-list 103 permit udp any host eq isakmp log

access-list 103 permit esp any host log

access-list 103 permit tcp any host eq www log

access-list 103 permit tcp any host eq ftp log

access-list 103 permit icmp any any echo-reply log

access-list 103 permit tcp any any established

access-list 103 permit tcp any host eq pop3

access-list 103 permit esp any any

access-list 103 permit udp any eq isakmp any

access-list 103 permit udp any any eq isakmp

access-list 103 permit udp any eq 4500 any

access-list 103 permit tcp any any eq 4500

access-list 103 permit udp any eq domain any

access-list 103 permit ip host xxxxxxxxxxx any

access-list 103 permit ip host xxxxxxxxxxx any

access-list 103 permit ip host xxxxxxxxxxxx any

access-list 103 permit ip 172.16.6.0 0.0.0.255 host

access-list 103 permit ip 172.16.5.0 0.0.0.255 host

access-list 110 permit ip any any

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 172.16.0.0 0.0.255.255 any

access-list 150 permit udp any any range 5000 5070

access-list 150 permit udp any range 5000 5070 any

access-list 150 permit udp any any eq 5567

access-list 150 permit udp any eq 5567 any

access-list 150 permit tcp any any eq 5566

access-list 150 permit tcp any eq 5566 any

access-list 150 permit tcp any any eq 5570

access-list 150 permit tcp any eq 5570 any

access-list 150 permit udp any any eq 16384

access-list 150 permit udp any eq 16384 any

access-list 150 permit tcp any any eq 2427

access-list 150 permit tcp any eq 2427 any

access-list 150 permit udp any any eq 4000

access-list 150 permit udp any eq 4000 any

access-list 150 permit udp any any eq 4010

access-list 150 permit udp any eq 4010 any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 11/21/2007 - 11:59

Said

You have hidden so much information that we are not able to identify the problem. For example what you have posted includes 3 extended access lists but no information about how they are applied. If you want us to suggest answers we need sufficient detail to be able to understand what is going on.

HTH

Rick

saidfrh Wed, 11/21/2007 - 12:42

Rick,

Thanks. There is a limited number of characters that is allowable to be posted. The following attachment has the config.

Said

Attachment: 
Richard Burts Wed, 11/21/2007 - 13:32

Said

There are a couple of things that it might be. I will start with the most obvious and if that is not it, there are some other things to look at. In access list 103 there is a permit for ftp (TCP port 21):

access-list 103 permit tcp any host 2xx.213.196.11 eq ftp log

but there is not a permit for ftp-data (TCP port 20). Try adding a line like this for ftp-data:

access-list 103 permit tcp any host 2xx.213.196.11 eq ftp-data log

Give it a try and let us know if it helps.

HTH

Rick

saidfrh Fri, 11/23/2007 - 11:06

Rick,

Do I have to create new access list with added line to add access-list 103 permit tcp any host 2xx.213.196.11 eq ftp-data log? I remember from CCNA if you change an access list it is no longer valid.

Thanks.

Said

Richard Burts Fri, 11/23/2007 - 18:46

Said

In a lot of access lists when you want to add a line to the access list you must remove the access list and rebuild the access list with the line added. In the case of this access list I do not believe that it is necessary.

The issue is that a line that you add to the access list will generally be put at the bottom of the access list. And in many access lists (especially ones that have permit ip any any or deny ip any any) adding a line at the bottom results in the line never matching anything. In the case of this access list I believe that adding the line at the bottom of the access list will still achieve the desired result.

HTH

Rick

saidfrh Tue, 11/27/2007 - 06:36

Rick,

Thanks. The following was added to the access-list.

access-list 103 permit tcp any host 2xx.213.196.11 eq ftp-data log

The client can log to the FTP server, however after initial connection the client gets disconnected. The following is copy from the FTP server's log.

(000002) 11/27/2007 6:24:50 AM - (not logged in) (192.168.1.202)> Connected, sending welcome message...

(000002) 11/27/2007 6:24:50 AM - (not logged in) (192.168.1.202)> 220 Authorized users only are allowed access to this server.

(000002) 11/27/2007 6:25:21 AM - (not logged in) (192.168.1.202)> disconnected.

(000003) 11/27/2007 6:26:21 AM - (not logged in) (192.168.1.202)> Connected, sending welcome message...

(000003) 11/27/2007 6:26:21 AM - (not logged in) (192.168.1.202)> 220 Authorized users only are allowed access to this server.

(000003) 11/27/2007 6:26:52 AM - (not logged in) (192.168.1.202)> disconnected.

Richard Burts Tue, 11/27/2007 - 09:27

Said

It looks like the server does not see the login as successful. Your description says that the client can log to the server. Can we be more specific? They get a prompt and they enter their ID and password. What do they get on their screen after they enter the password and press enter? Can we be very specific about what the next message says?

HTH

Rick

saidfrh Tue, 11/27/2007 - 09:36

Rick,

You are right. After reviewing the server's log, the client was not logged on. I ran the wizard on the client's application and got the following message.

"Summary of test results:

Active mode FTP test failed. FileZilla knows the correct external IP address, but your router or firewall has misleadingly modified the sent address.

Please update your firewall and make sure your router is using the latest available firmware. Furthermore, your router has to be configured properly. You will have to use manual port forwarding. Don't run your router in the so called 'DMZ mode' or 'game mode'. Things like protocol inspection or protocol specific 'fixups' have to be disabled.

If this problem stays, please contact your router manufacturer......

saidfrh Wed, 11/28/2007 - 22:55

Rick,

I believe secure FTP servers (SFTP) listen on port 990. Would placing a statement on access-list 103 to open TCP port work? Would the above statement at the end of the Access-list work? Could you share the correct statement needed. Thanks.

Said

jarredtaylor Wed, 11/21/2007 - 13:40

Said,

The 'data' connection on an FTP session is an inbound connection from the server using TCP source port 20 to a randomly chosen TCP port on the client. Since this is an inbound connection the 'permit tcp any any established' entry does not apply.

I can think of three solutions:

1) Open up all inbound connections from TCP source port 20 (access-list 103 permit tcp any eq 20 any). This is obviously not a good idea.

2) Add 'ip inspect name Serial ftp' and apply 'ip inspect Serial in' to you 'inside' interfaces. This essentially enables the IOS firewall feature set and instructs the router to watch for this ftp data connection. You will probably want remove the 'permit tcp any any established' at that point.

3) Use passive FTP for all external FTP downloads from your clients.

HTH - and someone please correct me if I've spoken incorrectly (I know you will :))

saidfrh Tue, 11/27/2007 - 12:31

HTH,

Why isn't "access-list 103 permit tcp any eq 20 any" a good idea?

Said

jarredtaylor Tue, 11/27/2007 - 12:41

That will allow any host on the Internet using a TCP source port of 20 unrestricted access into your network.

Jarred

saidfrh Tue, 11/27/2007 - 12:49

Jarred,

The secure FTP is on the "dirty DMZ" with a public IP, connected to the perimeter router. The perimeter routers uses CBAC to filter traffic. How would outside users get access to the LAN?

Said

saidfrh Thu, 11/29/2007 - 08:09

I put in access-list 103 permit tcp any eq 20 any, however the client still can not connect to the server. The above is on the running config, I did not copy it to starting config.

Danilo Dy Sun, 12/02/2007 - 07:47

Hi,

To make it clear SFTP is actually SSH which is in TCP 22. FTPS is FTP over SSL/TLS - there are two mode to this and most firewall doesn't work with one of them, some firewall doesn't work with any two of them.

Are you using SFTP or FTPS? If you are using FTPS, I suggest you either use plain FTP or SFTP.

Regards,

Dandy

saidfrh Sun, 12/02/2007 - 18:35

Hi Danny,

I have built a FTPS server, SSL encryption. Our firewall is the IOS firewall features of the Cisco 2621 perimeter router. My next step is to open up inbound connections to port 20: access-list 103 permit tcp any eq 20 any. The server sits on the DMZ with Public IP. The server will have anti-virus software, and documents will be in PDF format, so the files do not get altered.

Said

Actions

This Discussion