cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8416
Views
13
Helpful
44
Replies

Configuring an FTP Server behind Cisco

briankrontz
Level 1
Level 1

I'm trying to configure Serv-U to run in passive mode behind a Cisco ASA 5505. What is the proper way to do this?

44 Replies 44

elparis
Cisco Employee
Cisco Employee

A static NAT entry to reach the FTP server, "inspect ftp" in the policy-map, and allow access to the FTP server in the access list is all you should need.

static (inside,outside)

access-list outside_in permit tcp any host eq ftp

access-group outside_in in interface outside

...

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

...

service-policy global_policy global

Can also be done if using PAT instead of NAT. Just change the ACL and the static to use the interface:

access-list outside_in permit tcp any interface outside eq ftp

static (inside,outside) tcp interface ftp

Hope this helps.

Cheers,

Eloy Paris.-

I'm concerned about the passive part of my request. Can you expand on how that will work?

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea?

Let understand this:

1- Pix/ASA can NOT allow ONLY passive FTP through the firewall

if there is NAT involved. This is NOT possible.

For example, if you have Linux vsftpd running behind the firewall

serving both Active/Passive. Let say that your objective

is to allow both Active and Passive FTP for users on the inside

network; however, you want the firewall to allow ONLY passive

ftp from users from the outside (i.e. Internet).

Let say the IP address of the Linux vsFTPd server is 192.168.1.1.

Let say that this server is NAT'ed to 1.1.1.1 by the pix firewall:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

In this scenario, Pix can NOT do this. In this scenario, you have

NO choice but to enable "fixup protocol ftp 21". If you turn

OFF ftp inspection, nothing will work.

For situation like this, you need firewalls other than Cisco.

Of course; nobody is saying that fixup protocol ftp 21 (or inspect ftp in newer PIX code) is not necessary. Without the firewall doing deep packet inspection of FTP traffic dynamic holes can't be opened in the access list for return traffic so nothing will work.

I am actually don't fully understand what you are saying: on the one hand you say that it is not possible but if you turn on fixup that it will. On the other hand you are saying that you may need firewalls other than Cisco, which I guess means you think it will not work. So I am puzzled.

Any firewall needs to inspect the FTP control connection to be able to determine what hole to poke on the access list. What is it that you say other firewalls do different than Cisco's?

Cheers,

Eloy Paris.-

This is what I understand:

Linux_FTP_server---(i)--Pix--(o)---FTP_client

FTP server is serving both Active/Passive FTP.

FTP server is 192.168.1.10/24. Pix inside IP

is 192.168.1.1/24. Pix outside ip address is

1.1.1.1/24. FTP_client is 1.1.1.2/24. FTP_client

connects to FTP server via ip address of 1.1.1.10.

Requirements:

Allow ONLY Passive FTP through the Pix firwewall.

Active FTP will NOT be allowed through the Pix

firewall. In other words, Active FTP connection

will be dropped by the Pix firewall.

static (i,o) 1.1.1.10 192.168.1.10 netmask 255.255.255.255

access-list External permit ip any any log

access-group External in interface outside

Pix/ASA can NOT do this.

Other firewalls vendors such as Checkpoint have the capability

to allow ONLY passive FTP through the firewall with NAT. I

think Netscreen can do this too but I can't confirm because

I have not touched Netscreen in eight months.

Make sense?

Thanks for this post!! I've been fighting with FTP for a few days now. I've been using names for Network Objects to add easier reading to Destination Access Rules and NAT Rules Sources. Your post above stating specifically got me thinking. So I removed all the Names (as they are optional) and used only the IP addrs and it worked!!

Running 5510 ASA 8.0(2) ASDM 6.1(1).

Thanks!!

ERIN

briankrontz
Level 1
Level 1

My objective is to allow both Active and Passive SSH/SSL/HTTPS FTP to make it easier on my non-technical ftp clients. Thoughts on that? Would I need to do the "fixup"? I'm not sure what that is. I'm a Juniper GUI guy, sorry.

Rhinosoft, the maker of Serv-U, says that the reason I can only connect with Active is due to a misconfigured Cisco ASA 5505 sitting in front of it.

I have my IP and ports routed correctly as far as I can tell:

access-list INBOUND extended permit tcp any host x.x.x.35 eq 3389

access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp

access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp-data

access-list INBOUND extended permit tcp any host x.x.x.35 eq https

access-list INBOUND extended permit tcp any host x.x.x.35 eq ssh

access-list INBOUND extended permit tcp any host x.x.x.35 eq 990

access-list INBOUND extended permit tcp any host x.x.x.35 range 2000 2020

access-list INBOUND extended permit tcp any host x.x.x.35 range 50000 50020

The last two entries are passive port ranges I tried to plug into the software, but they didn't give me any luck.

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?

The problem with the ASA is that fixup is

enabled by default. Therefore, once you

allow FTP, both active/passive will be

allowed. In a NAT environment, you can not

stop Active only or passive only FTP. You

either have to allow both or deny both.

I don't know if you understand how Active

and Passive works. In Active mode, the ftp

server initiates a connection back to the

client sourcing from port 20 to client random

high-ports. This is a security risk to the

client. In Passive mode, the client

initiates a connection from it's high ports

to a server random high-ports. this will

put the server at risk because he has

to allow random high-ports on the server.

That's why in vsftpd or even Microsoft IIS,

you minimize the risk by narrowing the

port-ranges in Passive mode.

The workaround for all this is Secure Copy

Protocol (SCP) or SecureFTP. both of these

run on top of SSH which is very secure.

don't need to worry about FTP craps.

cisco24x7,

> The problem with the ASA is that fixup is

> enabled by default.

That's actually a positive thing, in my opinion, but if it bothers anyone, or violates the organization's security policy, it can obviously be disabled.

> Therefore, once you

> allow FTP, both active/passive will be

> allowed.

He already said that he wants to allow both active and passive so this shouldn't be a problem.

> In a NAT environment, you can not

> stop Active only or passive only FTP. You

> either have to allow both or deny both.

Not necessarily - you can do the following:

access-list inside_in deny tcp any any eq 20

access-list inside_in permit ip any any

access-group inside_in in interface inside

and this will prevent active FTP from working but passive FTP will still work.

This is not a problem for him, though, since he said that he wants both active and passive FTP. But anyone concerned about allowing active FTP can apply this simple workaround to kill active FTP.

Cheers,

Eloy Paris.-

Sorry, the deny above is obviously wrong. Should be:

access-list inside_in deny tcp any eq 20 any

(idea is obviously to prevent the FTP server to establish the outgoing connection from port 20 to the FTP client on the outside.)

I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose. I'll include my whole config below so that you can maybe explain where I need to make changes.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.61.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 38.x.x.34 255.255.255.252

interface Ethernet0/0

switchport access vlan 2

ftp mode passive

dns server-group DefaultDNS

domain-name domainname1.com

access-list nonat extended permit ip any 172.16.0.0 255.240.0.0

access-list nonat extended permit ip any 192.168.0.0 255.255.0.0

access-list nonat extended permit ip any 10.0.0.0 255.0.0.0

access-list domainname2 extended permit ip 192.168.61.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list INBOUND extended permit tcp any host 38.x.x.35 eq 3389

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp-data

access-list INBOUND extended permit tcp any host 38.x.x.35 eq https

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ssh

access-list INBOUND extended permit tcp any host 38.x.x.35 eq 990

access-list INBOUND extended permit tcp any host 38.x.x.35 range 2000 2020

access-list INBOUND extended permit tcp any host 38.x.x.35 range 50000 50020

access-list INBOUND extended permit icmp any any

access-list OUTBOUND extended deny tcp any any eq 6346

access-list OUTBOUND extended deny tcp any any eq 6347

access-list OUTBOUND extended deny udp any any eq 6346

access-list OUTBOUND extended deny udp any any eq 6347

access-list OUTBOUND extended permit ip any any

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.31.0.0 255.255.0.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.68.0 255.255.254.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.30.103.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.180.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255

static (inside,outside) 38.x.x.35 192.168.61.248 netmask 255.255.255.255

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 38.x.x.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

prompt hostname context

The configuration looks *almost* good:

static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255

This line doesn't make sense - you are NATing 192.168.61.200 to the same IP address of the outside interface of the ASA. That shouldn't be but I don't see why it would affect the problem with FTP not working.

Is the FTP server at 192.168.61.248?

You should turn on logging to see what is going on.

Cheers,

Eloy Paris.-

Eloy Paris,

>Not necessarily - you can do the following:

>access-list inside_in deny tcp any eq 20 any

>access-list inside_in permit ip any any

>access-group inside_in in interface inside

>and this will prevent active FTP from >working but passive FTP will still work.

Is this something you've tested and verified

that it works or is it just an "educated"

guess on your part?

When you enable "fixup protocol ftp 21" or

ftp inspection, the ACL "access-list inside_in deny tcp any any eq 20" will become

useless when there is NAT.

However, what you stated above is true if

there is NO NAT involved. Again, the minute

you enable "fixup protocol ftp 21" that ACL will be bypassed.

An analogy to this is like the command

"sysopt connection permit-ipsec" will bypass

the ACL line applying to the outside interface regarding IPSec.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: