07-31-2008 12:48 PM - edited 03-11-2019 06:23 AM
I'm trying to configure Serv-U to run in passive mode behind a Cisco ASA 5505. What is the proper way to do this?
07-31-2008 01:04 PM
A static NAT entry to reach the FTP server, "inspect ftp" in the policy-map, and allow access to the FTP server in the access list is all you should need.
static (inside,outside)
access-list outside_in permit tcp any host
access-group outside_in in interface outside
...
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
...
service-policy global_policy global
Can also be done if using PAT instead of NAT. Just change the ACL and the static to use the interface:
access-list outside_in permit tcp any interface outside eq ftp
static (inside,outside) tcp interface ftp
Hope this helps.
Cheers,
Eloy Paris.-
07-31-2008 01:45 PM
I'm concerned about the passive part of my request. Can you expand on how that will work?
We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea?
07-31-2008 02:01 PM
Let understand this:
1- Pix/ASA can NOT allow ONLY passive FTP through the firewall
if there is NAT involved. This is NOT possible.
For example, if you have Linux vsftpd running behind the firewall
serving both Active/Passive. Let say that your objective
is to allow both Active and Passive FTP for users on the inside
network; however, you want the firewall to allow ONLY passive
ftp from users from the outside (i.e. Internet).
Let say the IP address of the Linux vsFTPd server is 192.168.1.1.
Let say that this server is NAT'ed to 1.1.1.1 by the pix firewall:
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
In this scenario, Pix can NOT do this. In this scenario, you have
NO choice but to enable "fixup protocol ftp 21". If you turn
OFF ftp inspection, nothing will work.
For situation like this, you need firewalls other than Cisco.
07-31-2008 02:12 PM
Of course; nobody is saying that fixup protocol ftp 21 (or inspect ftp in newer PIX code) is not necessary. Without the firewall doing deep packet inspection of FTP traffic dynamic holes can't be opened in the access list for return traffic so nothing will work.
I am actually don't fully understand what you are saying: on the one hand you say that it is not possible but if you turn on fixup that it will. On the other hand you are saying that you may need firewalls other than Cisco, which I guess means you think it will not work. So I am puzzled.
Any firewall needs to inspect the FTP control connection to be able to determine what hole to poke on the access list. What is it that you say other firewalls do different than Cisco's?
Cheers,
Eloy Paris.-
07-31-2008 03:48 PM
This is what I understand:
Linux_FTP_server---(i)--Pix--(o)---FTP_client
FTP server is serving both Active/Passive FTP.
FTP server is 192.168.1.10/24. Pix inside IP
is 192.168.1.1/24. Pix outside ip address is
1.1.1.1/24. FTP_client is 1.1.1.2/24. FTP_client
connects to FTP server via ip address of 1.1.1.10.
Requirements:
Allow ONLY Passive FTP through the Pix firwewall.
Active FTP will NOT be allowed through the Pix
firewall. In other words, Active FTP connection
will be dropped by the Pix firewall.
static (i,o) 1.1.1.10 192.168.1.10 netmask 255.255.255.255
access-list External permit ip any any log
access-group External in interface outside
Pix/ASA can NOT do this.
Other firewalls vendors such as Checkpoint have the capability
to allow ONLY passive FTP through the firewall with NAT. I
think Netscreen can do this too but I can't confirm because
I have not touched Netscreen in eight months.
Make sense?
08-13-2008 06:22 PM
Thanks for this post!! I've been fighting with FTP for a few days now. I've been using names for Network Objects to add easier reading to Destination Access Rules and NAT Rules Sources. Your post above stating specifically
Running 5510 ASA 8.0(2) ASDM 6.1(1).
Thanks!!
ERIN
07-31-2008 05:39 PM
My objective is to allow both Active and Passive SSH/SSL/HTTPS FTP to make it easier on my non-technical ftp clients. Thoughts on that? Would I need to do the "fixup"? I'm not sure what that is. I'm a Juniper GUI guy, sorry.
Rhinosoft, the maker of Serv-U, says that the reason I can only connect with Active is due to a misconfigured Cisco ASA 5505 sitting in front of it.
I have my IP and ports routed correctly as far as I can tell:
access-list INBOUND extended permit tcp any host x.x.x.35 eq 3389
access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp
access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp-data
access-list INBOUND extended permit tcp any host x.x.x.35 eq https
access-list INBOUND extended permit tcp any host x.x.x.35 eq ssh
access-list INBOUND extended permit tcp any host x.x.x.35 eq 990
access-list INBOUND extended permit tcp any host x.x.x.35 range 2000 2020
access-list INBOUND extended permit tcp any host x.x.x.35 range 50000 50020
The last two entries are passive port ranges I tried to plug into the software, but they didn't give me any luck.
We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?
07-31-2008 06:21 PM
The problem with the ASA is that fixup is
enabled by default. Therefore, once you
allow FTP, both active/passive will be
allowed. In a NAT environment, you can not
stop Active only or passive only FTP. You
either have to allow both or deny both.
I don't know if you understand how Active
and Passive works. In Active mode, the ftp
server initiates a connection back to the
client sourcing from port 20 to client random
high-ports. This is a security risk to the
client. In Passive mode, the client
initiates a connection from it's high ports
to a server random high-ports. this will
put the server at risk because he has
to allow random high-ports on the server.
That's why in vsftpd or even Microsoft IIS,
you minimize the risk by narrowing the
port-ranges in Passive mode.
The workaround for all this is Secure Copy
Protocol (SCP) or SecureFTP. both of these
run on top of SSH which is very secure.
don't need to worry about FTP craps.
07-31-2008 06:33 PM
cisco24x7,
> The problem with the ASA is that fixup is
> enabled by default.
That's actually a positive thing, in my opinion, but if it bothers anyone, or violates the organization's security policy, it can obviously be disabled.
> Therefore, once you
> allow FTP, both active/passive will be
> allowed.
He already said that he wants to allow both active and passive so this shouldn't be a problem.
> In a NAT environment, you can not
> stop Active only or passive only FTP. You
> either have to allow both or deny both.
Not necessarily - you can do the following:
access-list inside_in deny tcp any any eq 20
access-list inside_in permit ip any any
access-group inside_in in interface inside
and this will prevent active FTP from working but passive FTP will still work.
This is not a problem for him, though, since he said that he wants both active and passive FTP. But anyone concerned about allowing active FTP can apply this simple workaround to kill active FTP.
Cheers,
Eloy Paris.-
07-31-2008 06:37 PM
Sorry, the deny above is obviously wrong. Should be:
access-list inside_in deny tcp any eq 20 any
(idea is obviously to prevent the FTP server to establish the outgoing connection from port 20 to the FTP client on the outside.)
07-31-2008 06:36 PM
I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose. I'll include my whole config below so that you can maybe explain where I need to make changes.
07-31-2008 06:37 PM
interface Vlan1
nameif inside
security-level 100
ip address 192.168.61.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 38.x.x.34 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
ftp mode passive
dns server-group DefaultDNS
domain-name domainname1.com
access-list nonat extended permit ip any 172.16.0.0 255.240.0.0
access-list nonat extended permit ip any 192.168.0.0 255.255.0.0
access-list nonat extended permit ip any 10.0.0.0 255.0.0.0
access-list domainname2 extended permit ip 192.168.61.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list INBOUND extended permit tcp any host 38.x.x.35 eq 3389
access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp
access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp-data
access-list INBOUND extended permit tcp any host 38.x.x.35 eq https
access-list INBOUND extended permit tcp any host 38.x.x.35 eq ssh
access-list INBOUND extended permit tcp any host 38.x.x.35 eq 990
access-list INBOUND extended permit tcp any host 38.x.x.35 range 2000 2020
access-list INBOUND extended permit tcp any host 38.x.x.35 range 50000 50020
access-list INBOUND extended permit icmp any any
access-list OUTBOUND extended deny tcp any any eq 6346
access-list OUTBOUND extended deny tcp any any eq 6347
access-list OUTBOUND extended deny udp any any eq 6346
access-list OUTBOUND extended deny udp any any eq 6347
access-list OUTBOUND extended permit ip any any
access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.68.0 255.255.254.0
access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.212.0 255.255.255.0
access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.30.103.0 255.255.255.0
access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.180.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255
static (inside,outside) 38.x.x.35 192.168.61.248 netmask 255.255.255.255
access-group OUTBOUND in interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 38.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set to_vpn esp-des esp-md5-hmac
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
07-31-2008 06:55 PM
The configuration looks *almost* good:
static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255
This line doesn't make sense - you are NATing 192.168.61.200 to the same IP address of the outside interface of the ASA. That shouldn't be but I don't see why it would affect the problem with FTP not working.
Is the FTP server at 192.168.61.248?
You should turn on logging to see what is going on.
Cheers,
Eloy Paris.-
07-31-2008 06:58 PM
Eloy Paris,
>Not necessarily - you can do the following:
>access-list inside_in deny tcp any eq 20 any
>access-list inside_in permit ip any any
>access-group inside_in in interface inside
>and this will prevent active FTP from >working but passive FTP will still work.
Is this something you've tested and verified
that it works or is it just an "educated"
guess on your part?
When you enable "fixup protocol ftp 21" or
ftp inspection, the ACL "access-list inside_in deny tcp any any eq 20" will become
useless when there is NAT.
However, what you stated above is true if
there is NO NAT involved. Again, the minute
you enable "fixup protocol ftp 21" that ACL will be bypassed.
An analogy to this is like the command
"sysopt connection permit-ipsec" will bypass
the ACL line applying to the outside interface regarding IPSec.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: