I cannot Do FTP through IPsec Tunnel

Answered Question
May 24th, 2010

the users at branch office(perth) cannot do FTP to a server in internet. we just want change on NAT/Rules to make it happen.

we do have head office is Sydney that this router has VPN IPsec to other branches including Melbourne, Perth, ..

we just want to fix FTP aceess for Perth users not on any other branches.

All things are router to router IPsec. from perth and sydney routers, i can ping FTP address that is (203.171.5.4) but from a client at perth, i cannot ping or telnet to that IP.

I uploaded routers configs from sydney and perth routers.

Please ask me for more picture of environment.

Thanks In Advance,

Reza

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

Reza,

Is because we're dealing with two different concepts of ACLs here.
The ACL 160 is applied to an interface (inbound to Ethernet0), so this ACL is to permit/deny traffic).
The ACL 150 is applied to a NAT rule (you cannot remove it because you'll loose Internet).

I was asking to remove the filtering ACL which is the 160 only.

The test that I was asking was to either remove the ACL 160 or add a line like this:
access-list 160 permit ip any any
And check if everything works.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
spremkumar Tue, 05/25/2010 - 06:04

hi

Is ur FTP server hosted in your sydney site or in internet ? if its internet are you accessing your internet via your sydney office using the ipsec tunnel?

Also i couldnt understand this line ... "can ping FTP address that is (203.171.5.4) but from a client at perth, i cannot ping or telnet to that IP"

regds

reza.rafatifard Tue, 05/25/2010 - 16:08

Hi There,

The ftp server is somewhere on internet.

we dont have Internet access from perth site, we just have access to resource on sydney office.

the access-list 191 on perth router set up as:

access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

when i use ping or telnet from a PC at perth to 203.171.5.4 (Internet FTP address), there is no way out, but i can do if from perth router.

so i need an NAT or access-list command to let perth subnet (192.168.20.0) to get access to that IP.

Please let me know for any question

Regards,

Reza

Federico Coto F... Tue, 05/25/2010 - 22:34

Reza,

To be able to reach that server from the 192.168.10.0/24 network, here's what you need:

##########################################

access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 150 interface Dialer0 overload

interface Ethernet0

ip nat inside

interface Dialer0

ip nat outside

#########################################

With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.

You're providing Internet, if you want to restrict traffic to just outgoing FTP, wil have to implement ACLs.

Federico.

reza.rafatifard Wed, 05/26/2010 - 02:27

Hi Mate,

How can i have this without providing internet access, just give access to that specific FTP address.

the 150 access-list allow every thing open.

Your adviced is much appretiated,

Reza

Federico Coto F... Wed, 05/26/2010 - 06:57

Hi,

To allow only access to the external FTP server you can do the following:

#########################################################################

access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 host 203.171.5.4

ip nat inside source list 150 interface Dialer0 overload

interface Ethernet0
ip nat inside

ip access-group 160 in

interface Dialer0
ip nat outside

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 160 permit tcp 192.168.10.0 0.0.0.255 host 203.171.5.4 eq 21

#########################################################################

The above configuration will only allow FTP outbound access on destination port 21 (besides permitting the VPN traffic)

However there's an important thing here:

Need to determine if using passive or active FTP.

This is because in passive FTP both connections are initiated by the client side.

But when using active FTP, the data connection is initiated from the server side.

So, based on the FTP operational mode, you will need either to ''inspect'' the traffic to allow the replies, or permit it with ACLs.

Federico.

reza.rafatifard Sun, 05/30/2010 - 18:06

Hi Federico.

I applied the changes but no good.

As soon as i add "ip access-group 160 in"  on interface ethernet0, then i cannot ping the Router IP (192.168.10.1) address. and also FTP to that Public IP dose not work.

can you have a look to this, by the way it dose not important if traffic passed through tunnel or pass directly to internet i ham happy with both options.

Your advice on this is much appretiate

Regards,

Reza

reza.rafatifard Mon, 05/31/2010 - 17:30

Building configuration...

Current configuration : 3665 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname HTAUPER
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 $1$DbLV$k3z/WP5i9MLEvUlNFdl790
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authentication ppp vpnauth group radius local
aaa authorization network default group radius local
!
aaa session-id common
!
resource policy
!
clock timezone AWST 8
clock summer-time AWDST recurring last Sun Oct 2:00 last Sun Mar 2:00
ip subnet-zero
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool WA-IP-POOL
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.2.20 192.168.2.21
   netbios-name-server 192.168.2.20 192.168.2.21
!
!
ip cef
no ip domain lookup
ip host HTAUMEL 202.173.157.106
ip host HTAUPER 165.228.162.129
ip host HTAUSYD 139.130.82.30
no ip ips deny-action ips-interface
!
async-bootp dns-server 192.168.2.20 192.168.2.21
async-bootp nbns-server 192.168.2.20 192.168.2.21
no ftp-server write-enable
!
!
username hitachikk privilege 15 password 7 0959400A150046
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key htauper0607 address 139.130.82.30
no crypto isakmp ccm
!
!
crypto ipsec transform-set Perth-Transform esp-des esp-md5-hmac
!
crypto map Triforce 10 ipsec-isakmp
set peer 139.130.82.30
set transform-set Perth-Transform
match address 191
reverse-route
!
!
!
interface Loopback0
ip address 192.168.253.251 255.255.255.255
!
interface Ethernet0
description LAN
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.2.20
ip helper-address 192.168.2.21
ip nat inside
ip access-group 160 in
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1430
no ip mroute-cache
no keepalive
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
description WestNet DSL Service
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description PPPOE to Telstra
ip address negotiated
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
ip nat outside
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 13564F4A585456
crypto map Triforce
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
!
!
!
ip access-list standard telnet-clients
permit 202.165.88.13
permit 139.130.82.30
permit 165.228.154.146
permit 165.228.76.109
permit 165.228.245.51
permit 165.228.121.168
permit 58.6.32.219
permit 192.168.10.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 203.42.131.48 0.0.0.15
permit 203.48.145.120 0.0.0.7
permit 203.53.111.208 0.0.0.15
access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 host 203.171.5.4
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 160 permit tcp 192.168.10.0 0.0.0.255 host 203.171.5.4 eq 21
dialer-list 1 protocol ip permit
snmp-server community htau RO
snmp-server enable traps tty
!
ip nat inside source list 150 interface Dialer0 overload
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
access-class telnet-clients in
exec-timeout 0 0
!
scheduler max-task-time 5000
sntp server 129.127.40.3
end

Thanks

Federico Coto F... Mon, 05/31/2010 - 19:27

The ACL 160 is only allowing outbound FTP and VPN traffic that's why you cannot PING the router
anymore.

Let's do this for now.

interface e0
no ip access-group 160 in
exit
ip access-list extended 150
30 permit ip 192.168.10.0 0.0.0.255 any

Test the following:

1. Can you PING 4.2.2.2 from the router?
2. Do you have Internet access from behind the router?
3. Can you FTP to the public server (by the way, which is the IP address of such server?)

Once we resolved the above, we can restrict with ACLs.

Federico. 

reza.rafatifard Mon, 05/31/2010 - 21:44

HI Federico,

Thanks for that, I can Ping 4.2.2.2, FTP address and other Internet address like google or yahoo.

can you give me heads up that how can i restric Internet access, or just give access to that FTP address (203.171.5.4)

Thanks In Advanced,

Reza

Federico Coto F... Tue, 06/01/2010 - 07:29

Reza,

To restrict outbound traffic, the best way is to create an ACL and apply it inbound on the Ethernet0 interface.

For example, if you want to permit IP traffic to IP 203.171.5.4:

access-list 160 permit ip 192.168.10.0 0.0.0.255 host 203.171.5.4
interface e0
ip access-group 160 in

For example, if you want to permit only FTP traffic to IP 203.171.5.4:

access-list 160 permit tcp 192.168.10.0 0.0.0.255 host 203.171.5.4 eq 21
interface e0
ip access-group 160 in

Remember that when you create an ACL, everything not specified in it will be blocked.

Note:
There's a tricky part in permitting only FTP because it depends if using FTP in active or passive mode.
You might need to allow more ports in the ACL or inspect the FTP connection.

Federico.

reza.rafatifard Tue, 06/01/2010 - 17:24

Hi Federico,

All good now, but FTP not working, because FTP server is in Active mode. as far as everything is open from 192.168.10.0 to Any, i dont know why FTP is not working,

I can telnet to 203.171.5.4 21 but not on port 20.

Do you have an idea can can i fix this

Regards,

Reza

Federico Coto F... Tue, 06/01/2010 - 17:28

Reza,

If you try passive FTP it should work.

If you want active FTP, then the FTP server will actually create the data channel to the client.

In passive FTP, both control and data channel are established from the client to the server.

In active FTP, the client establishes the control channel but the server then negotiates the data channel back to the client.

If you remove the ACLs from the configuration, does it work?

Federico.

reza.rafatifard Tue, 06/01/2010 - 18:19

Hi Mate,

If i remove the ACL you told me then we get back to the first phase, the ACL you told me to config :

interface e0
no ip access-group 160 in
exit
ip access-list extended 150
30 permit ip 192.168.10.0 0.0.0.255 any

if i remove this, the i cannot telnet or ping my FTP server.

If i add "access-list 150 permit tcp 192.168.10.0 0.0.255.255 host 203.171.5.4 range ftp-data" do you think it will resolve the problem ?

Regards,

Reza

Correct Answer
Federico Coto F... Tue, 06/01/2010 - 19:41

Reza,

Is because we're dealing with two different concepts of ACLs here.
The ACL 160 is applied to an interface (inbound to Ethernet0), so this ACL is to permit/deny traffic).
The ACL 150 is applied to a NAT rule (you cannot remove it because you'll loose Internet).

I was asking to remove the filtering ACL which is the 160 only.

The test that I was asking was to either remove the ACL 160 or add a line like this:
access-list 160 permit ip any any
And check if everything works.

Federico.

reza.rafatifard Tue, 06/01/2010 - 21:09

Hi Federico,

I remove ACL 160 and resolved the Issue.

I appreciate your effort on this case

Regards,

Reza

Actions

This Discussion