FTP directory listing not working

Answered Question
Mar 11th, 2010
User Badges:

Hi,


I have configured normal ACE 4710 in bridge mode and I have statically natted ACE VIP in firewall. But when I am doing FTP to ACE natted IP from outside network I can connect to any of the virtual server but when I run "ls", directly listing is not working.


Below is my ACE configuration.



access-list bpdu-fixup ethertype permit bpdu

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

rserver host srv1
  ip address 172.16.20.1
  inservice
rserver host srv2
  ip address 172.16.20.2
  inservice

serverfarm host srv
  rserver srv1
    inservice
  rserver srv2
    inservice

sticky ip-netmask 255.255.255.255 address both SG1
  timeout 120
  serverfarm srv

class-map type management match-any remote-mgmt
  201 match protocol snmp any
  202 match protocol ssh any
  203 match protocol icmp any
  204 match protocol http any
  205 match protocol https any
  206 match protocol xml-https any
class-map match-all slb-vip
  2 match virtual-address 172.16.20.10 any

policy-map type management first-match remote-mgmt
  class remote-mgmt
    permit

policy-map type loadbalance first-match slb
  class class-default
    sticky-serverfarm SG1

policy-map multi-match client-vips
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply

interface vlan 20
  bridge-group 1
  access-group input bpdu-fixup
  access-group input ALL
  access-group output ALL
  no shutdown
interface vlan 23
  bridge-group 1
  access-group input bpdu-fixup
  access-group input ALL
  access-group output ALL
  service-policy input remote-mgmt
  service-policy input client-vips
  no shutdown

interface bvi 1
  ip address 172.16.20.9 255.255.255.0
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.20.254 


What could be the reason of this issue?


Thanksm

Pawan

Correct Answer by Sean Merrow about 7 years 4 months ago

Hi Pawan,


Ideally, you want to accomplish your desired operation without using the any keyword.  The any keyword allows clients to connect to your rservers through the VIP via any protocol, which could be considered a security risk.  You should always try to lock your VIPs down to only the protocols that you intend to be load balanced.  So if you want to load balance only HTTP and FTP traffic on this VIP, then your config would look something like this:


class-map match-all ftp-vip
  2 match virtual-address 172.16.20.10 tcp eq ftp


class-map match-all www-vip
  2 match virtual-address 172.16.20.10 tcp eq www


policy-map type loadbalance first-match slb
  class class-default
    sticky-serverfarm SG1


policy-map multi-match client-vips
  class ftp-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
    inspect ftp
  <-- note that ftp inspection is only applied to FTP traffic
  class www-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply


You could always add the any class-maps back in and put it at the bottom of your multi-match policy to catch "other" protocols, but you should only do this if necessary.


Does this make sense?


Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Michael Berger Thu, 03/11/2010 - 06:27
User Badges:
  • Cisco Employee,

Hi Pawan,


At the moment you type "ls", the data connection will be opened. Usually ftp clients default to active ftp which means server will open the conenction.


I am not seeing NATing on the ACE: is the real able to reach the client?


Does it also fail with passive ftp?


Can you use a CLI ftp client and copy/paste what you get on console when trying to FTP to VIP?




Michael

Sean Merrow Thu, 03/11/2010 - 06:30
User Badges:
  • Silver, 250 points or more

Hello,


I think this should work fine if you are using Passive FTP, so you might be using Active FTP.  If this is the case, you would need to use inspect ftp so the ACE can perform the needed fix-ups:


You Currently Have:


class-map match-all slb-vip
  2 match virtual-address 172.16.20.10 any


policy-map type loadbalance first-match slb
  class class-default
    sticky-serverfarm SG1


policy-map multi-match client-vips
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply



Add the Blue Highlighted Parts Below, and Test


class-map match-all ftp-vip
  2 match virtual-address 172.16.20.10 tcp eq ftp


class-map match-all slb-vip
  2 match virtual-address 172.16.20.10 any


policy-map type loadbalance first-match slb
  class class-default
    sticky-serverfarm SG1


policy-map multi-match client-vips
  class ftp-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
    inspect ftp  <-- note that ftp inspection is only applied to FTP traffic

  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply


Hope this helps,

Sean

winpwnkmr Thu, 03/11/2010 - 07:05
User Badges:

Thanks Sean it's working. But with my previous configuration I tried both the modes active and passive, nothing was working.


If I use whatever you suggested in that case can I use two different classes i.e. one for FTP and another for Web server (class ftp-vip & class-slb-vip)? If yes, the I have to put 2 match virtual-address 172.16.20.10 any I am not sure which will work for FTP too.


Pls. suggest.


Thanks,

Pawan

Correct Answer
Sean Merrow Thu, 03/11/2010 - 07:15
User Badges:
  • Silver, 250 points or more

Hi Pawan,


Ideally, you want to accomplish your desired operation without using the any keyword.  The any keyword allows clients to connect to your rservers through the VIP via any protocol, which could be considered a security risk.  You should always try to lock your VIPs down to only the protocols that you intend to be load balanced.  So if you want to load balance only HTTP and FTP traffic on this VIP, then your config would look something like this:


class-map match-all ftp-vip
  2 match virtual-address 172.16.20.10 tcp eq ftp


class-map match-all www-vip
  2 match virtual-address 172.16.20.10 tcp eq www


policy-map type loadbalance first-match slb
  class class-default
    sticky-serverfarm SG1


policy-map multi-match client-vips
  class ftp-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
    inspect ftp
  <-- note that ftp inspection is only applied to FTP traffic
  class www-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply


You could always add the any class-maps back in and put it at the bottom of your multi-match policy to catch "other" protocols, but you should only do this if necessary.


Does this make sense?


Sean

Actions

This Discussion