Active FTP works, not passive

Unanswered Question
Feb 5th, 2010
User Badges:

Hello CCIEs or not,


2821 ISR IOS Firewall 12.4(24)T2 is connected to a second ISP through Vlan304 and cable router
I added nat inside source route-maps in order to nat in each ISP addressing subnets
Problem is that inside FTP clients successfully connect to outside FTP servers using active mode, but no more with previous passive mode.


Many debugs were done: FTP server can't answer to LIST command outside acl rejects Syn/Ack packet because client's source port is not opened
I observe that client's source port changes during Outbound Nat process of data connection.


I give you :


relevant config lines


Ios Debugs and packet capture



I also tried to add separate Nat pool with route-map but did not succeed



Relevant Config:


ip inspect name Cbac tcp router-traffic
ip inspect name Cbac ftp



interface GigabitEthernet0/0
ip address L.L.L.5 255.255.255.0
ip access-group Acl_Inside in
ip wccp web-cache redirect in
ip inspect Cbac out
ip nat inside
no ip virtual-reassembly
ip policy route-map Rm_Inside
duplex auto
speed auto
!
interface FastEthernet0/0/3
switchport mode trunk
!
interface Vlan304
ip address 10.10.8.250 255.255.255.0
ip access-group Acl_Outside in
ip inspect Cbac out
ip nat outside
ip virtual-reassembly
!
router eigrp 1
redistribute connected
passive-interface default
no passive-interface GigabitEthernet0/0
network L.L.L.0 0.0.0.255
auto-summary
!
ip forward-protocol nd
ip route M.M.M.M 255.255.255.255 10.10.8.251
ip nat inside source route-map Rm_Nat_NC interface Vlan304 overload



ip access-list extended Acl_Inside
....
permit tcp object-group OGn_FTP object-group OGn_Externe eq ftp



ip access-list extended Acl_Outside
permit icmp any any
deny   ip any any log
!
ip access-list extended Acl_Rm_Ftp
permit tcp host 172.16.3.3 object-group OGn_Externe eq ftp ftp-data
permit tcp host 172.16.3.3 object-group OGn_Externe gt 1024
!
route-map Rm_Inside permit 10
match ip address Acl_Rm_Ftp
set ip next-hop 10.10.8.251
set interface Vlan304
!
route-map Rm_Nat_NC_Ftp permit 10
match ip address Acl_Rm_Ftp
match interface Vlan304



Debug


Feb  5 10:25:32.521: FIREWALL FTP sis 451ADD74 FTP-Client: PASV~~
Feb  5 10:25:32.521: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature
Feb  5 10:25:32.521:     TCP src=2670, dst=21, seq=3562961433, ack=1627344340, win=64167 ACK PSH, Firewall (inspect)(38), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.521: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), g=10.10.8.251, len 46, forward
Feb  5 10:25:32.521:     TCP src=2670, dst=21, seq=3562961433, ack=1627344340, win=64167 ACK PSH
Feb  5 10:25:32.521: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, sending full packet
Feb  5 10:25:32.521:     TCP src=2670, dst=21, seq=3562961433, ack=1627344340, win=64167 ACK PSH
Feb  5 10:25:32.537: NAT: s=S.S.S.S, d=10.10.8.250->172.16.3.3 [50281]
Feb  5 10:25:32.537: FIREWALL FTP sis 451ADD74 FTP-Server: 227 Entering Passive Mode (S,S,S,S,106,18).~~
Feb  5 10:25:32.537: FIREWALL FTP sis 451ADD74 Handle response to PASV request S.S.S.S:27154
Feb  5 10:25:32.537: FIREWALL OBJ_CREATE: create pre-gen sis 471F4070
Feb  5 10:25:32.537: FIREWALL OBJ-CREATE: sid 461E4974 acl Acl_Inside Prot: tcp
Feb  5 10:25:32.537:  Src 172.16.3.3 Port [0:65535]
Feb  5 10:25:32.537:  Dst S.S.S.S Port [27154:27154]
Feb  5 10:25:32.537: FIREWALL Pre-gen sis 471F4070 created: 172.16.3.3[0:65535] S.S.S.S[27154:27154]
Feb  5 10:25:32.541: NAT*: s=172.16.3.3->10.10.8.250, d=S.S.S.S [40649]
Feb  5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature
Feb  5 10:25:32.541:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature
Feb  5 10:25:32.541:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature
Feb  5 10:25:32.541:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Access List(26), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature
Feb  5 10:25:32.541:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, input feature
Feb  5 10:25:32.545:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Policy Routing(59), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, input feature
Feb  5 10:25:32.545:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, WCCP(61), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, input feature
Feb  5 10:25:32.545:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, MCI Check(64), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature
Feb  5 10:25:32.545:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, CCE Output Classification(5), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature
Feb  5 10:25:32.545:     TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, WCCP(12), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE



Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature
Feb  5 10:25:32.545:     TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Post-routing NAT Outside(17), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature
Feb  5 10:25:32.545:     TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Stateful Inspection(20), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature
Feb  5 10:25:32.545:     TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Firewall (NAT)(33), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: FIREWALL sis 471F4070 initiator_addr (172.16.3.3:2672) responder_addr (S.S.S.S:27154)
initiator_alt_addr (10.10.8.250:1123) responder_alt_addr (S.S.S.S:27154)
Feb  5 10:25:32.545: FIREWALL OBJ-CREATE: sid 461E0534 acl Acl_Outside Prot: tcp
Feb  5 10:25:32.545:  Src S.S.S.S Port [27154:27154]
Feb  5 10:25:32.545:  Dst 10.10.8.250 Port [1123:1123]
Feb  5 10:25:32.545: FIREWALL OBJ_CREATE: create host entry 461D94FC addr S.S.S.S bucket 228 (vrf 0:0) insp_cb 0x46973E3C
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature
Feb  5 10:25:32.545:     TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Firewall (inspect)(38), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), g=10.10.8.251, len 52, forward
Feb  5 10:25:32.545:     TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN
Feb  5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, sending full packet
Feb  5 10:25:32.549:     TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN
Feb  5 10:25:32.549: NAT: s=172.16.3.3->10.10.8.250, d=S.S.S.S [40652]
Feb  5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature
Feb  5 10:25:32.549:     TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Post-routing NAT Outside(17), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature
Feb  5 10:25:32.549:     TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Stateful Inspection(20), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature
Feb  5 10:25:32.549:     TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Firewall (NAT)(33), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.549: FIREWALL FTP sis 451ADD74 FTP-Client: LIST~~
Feb  5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature
Feb  5 10:25:32.549:     TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Firewall (inspect)(38), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb  5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), g=10.10.8.251, len 46, forward
Feb  5 10:25:32.549:     TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH
Feb  5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, sending full packet
Feb  5 10:25:32.549:     TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH
Feb  5 10:25:32.601: NAT: s=S.S.S.S, d=10.10.8.250->172.16.3.3 [50282]
Feb  5 10:25:35.501: NAT*: s=172.16.3.3->10.10.8.250, d=S.S.S.S [40714]
Feb  5 10:25:35.517 CET: %SEC-6-IPACCESSLOGP: list Acl_Outside denied tcp S.S.S.S(27154) -> 10.10.8.250(2672), 1 packet
Feb  5 10:25:35.521: FIREWALL OBJ_CREATE: Pak 45B5B318 sis 45174EAC initiator_addr (10.10.8.250:0) responder_addr (S.S.S.S:106)
initiator_alt_addr (10.10.8.250:0) responder_alt_addr (S.S.S.S:106)
Feb  5 10:25:38.561: FIREWALL OBJ_CREATE: Pak 45B5BE94 sis 46FB16D8 initiator_addr (10.10.8.250:0) responder_addr (S.S.S.S:106)
initiator_alt_addr (10.10.8.250:0) responder_alt_addr (S.S.S.S:106)


Any help would be greatly appreciated
Thanks

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Fri, 02/05/2010 - 09:45
User Badges:
  • Red, 2250 points or more

Hi Falain


Not sure, but why do you want to apply ip inspect out on both the LAN and WAN interfaces ? You are inspecting traffic going out of your LAN, and its normally OK to just apply this on one interface. the outbound interface will just have ACL's permitting traffic into your network, dynamically punching holes onto your network.. you might have to have a look at your configs, and see which interface you need to apply this on.. As an example, here is an URL describing CBAC configuration...


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml


Raj

falain Mon, 02/08/2010 - 00:37
User Badges:

Hello Sachinjara,

Thanks for answer.

As I said, Here's only problem's relevant config.

I didn't give it for clearness. Also are other Outside Wan Vlans with Cbac out.

But on that ISR, I also have a 3rd intf (Dmz) where connections can be initiated to Lan intf.

Then, it needs to have a Cbac out on Lan intf.


I think problem is due to Nat which translates inside FTP client's source port, and that outside FTP server ignores this new client's one (it only knows the one given to it with LIST command TCP Syn)

I tried to move FTP transfers to another Nat pool with a different route-map, but did not succeed at this time.


regards

Alain

Actions

This Discussion