passive FTP doesn't work with CBAC

Answered Question
Aug 5th, 2010
User Badges:

I have setup an inbound ACL on the outside interface  of my router that allows TCP ports 20 and 21 in and I have a CBAC inspect map with FTP specified on the same interface in an outbound direction.  My understanding is that the inspect will check all outbound traffic and dynamically fix the inbound ACL for the client/serve negotiated ports.  I have active FTP clients like the command line Windows ftp work, but passive clients like a browser do not.


If I uncheck passive mode on my browser it works further confirming that active FTP works.  Ironically, the browser active/passive option says that passive mode is for firewall compatibility!


Any ideas on this?  I would really like both to work because I frequently use the command line ftp and most others prefer the browser.


Thanks,

Diego

Correct Answer by Kureli Sankar about 6 years 7 months ago

Is this issue resolved?


interface FastEthernet0/0
description public IP
ip address 72.17.151.190 255.255.255.224
ip access-group 101 in
ip nat outside
ip inspect firewall out

ip inspect firewall in ------------------------> Pls. add this line as well.


for ftp traffic the user id and password goes over the control channel using tcp 21.You need to allow this via ACL. Inspection will take care of opening the data channel.

For active ftp the server sends the data using the source port tcp 20. Client sends the port command.

In case of passive ftp the server sends the port command and the client connects back to the high port >1024 to receive data.

http://slacksite.com/other/ftp.html#actexample



-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (6 ratings)
Loading.
Jitendriya Athavale Thu, 08/05/2010 - 06:29
User Badges:
  • Cisco Employee,

hi diego


where is the client and where is the server, i mean with respect to firewall which is on inside and which is on internet

DIEGO ALONSO Thu, 08/05/2010 - 07:34
User Badges:

The ftp server is behind the firewall on the private and protected network.  Clients are hitting the ftp server from the public Internet.


Thanks,

Diego

Jitendriya Athavale Thu, 08/05/2010 - 07:48
User Badges:
  • Cisco Employee,

if your active connection are working and passive are not working i can think of only one thing and that is inspect ftp


please make sure that inspect ftp is before inspect tcp other inspect ftp will never work


so this is how it should be



ip inspect name FW ftp

ip inspect name FW tcp


but not the other way

DIEGO ALONSO Thu, 08/05/2010 - 08:23
User Badges:

Unfortunately, I do have the ftp inspect first.  Here is what I have:


ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall tftp
ip inspect name firewall https
ip inspect name firewall icmp
ip inspect name firewall imap
ip inspect name firewall pop3
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall skinny
ip inspect name firewall sip

I took some packet debugs and I can see where the packet is denied when the client begins sending to the negotiated high port.  In the debug when the client sends to the servers TCP port 16787 the packet is denied.  So it seems like CBAC is not dynamically openning the negotiated ports as it should.  I have attached the packet debug if you care to look at it.  Maybe I will open a case with the TAC.


Thanks,

Diego

Jitendriya Athavale Thu, 08/05/2010 - 08:40
User Badges:
  • Cisco Employee,

please put this command and see the logs and paste them here


ip inspect log drop-packet



also just to confirm taht it is the firewall remove the access-group from the outside interafce so taht you permit everything inside

DIEGO ALONSO Thu, 08/05/2010 - 09:57
User Badges:

The ip inspect log drop-pkt does not show any packets being dropped. However when I removed the ACL it worked like a champ.  So we know it is the ACL but I don't think it is a good idea to open up all the high ports.  It just seems that CBAC is not opening up the ports as it should.  I would think maybe a bug but I am running a fairly up to date IOS of 12.4(20)T4.


Any ideas?


Thanks,

Diego

e.pedersen Thu, 08/05/2010 - 10:40
User Badges:

Can you share with us your interfaces (inside/outside) config, also ACL and cbac config, if you agreed with this, please use examples IP address on your post.

Jitendriya Athavale Thu, 08/05/2010 - 11:34
User Badges:
  • Cisco Employee,

i know you have already done this and some of my below steps might sound very stupid... but try them they have worked for me


try one more small thing


open only port 20 with your access-list


this should allow passive ftp


if this works then it is the inspection thats not working


trying removing inspection ftp and reapplying

DIEGO ALONSO Thu, 08/05/2010 - 11:39
User Badges:

Not sure I follow you here.  I have currently have both 20 and 21 open.  Active is working and passive is not.  So you want me to remove 21 and recheck passive?


I will also try removing and reapplyting the inspect command.


Diego

Diego Armando C... Thu, 08/05/2010 - 14:26
User Badges:
  • Bronze, 100 points or more

Just for testing pursoses. Have you tried to open all IP traffic for that server. Just do it, try it and then close all IP. If it works then we know the problem is with the FTP Inspection.

DIEGO ALONSO Thu, 08/05/2010 - 14:39
User Badges:

Hi Diego,


We have tried that and it works OK.  At this point I am well satisfied that it is the inspection.  Now I need to find out if I am doing something wrong, or maybe missing something or maybe just a bug.


Thanks for your input.


Diego

Diego Armando C... Thu, 08/05/2010 - 14:56
User Badges:
  • Bronze, 100 points or more

Diego,


All CBAC is a Bug. Change to ZOne-Based that is easier to manage and do a better work

DIEGO ALONSO Thu, 08/05/2010 - 20:31
User Badges:

Never heard of zone-based.  Is that available on IOS routers?


diego

Jitendriya Athavale Thu, 08/05/2010 - 22:18
User Badges:
  • Cisco Employee,

it is supported on IOS


well it is recommended u go thr only if you see that cbac is unable to achieve what you want


it provides more flexibility


in any case, for your query we seem to have isolated the issue that inspect ftp is broken, i have seen a lot of bugs related to broken inspect for L7


you can go to zone-based-firewall but let me advise you that it is also unpredictable at times as far as features are concerned. when it works it works like magic but when something is boken it get really tough to isolate


to resolve your issue, i think its worth a try to go to 15.0 code which is latest, i would suggest even if you go to zone-based firewall use this code

DIEGO ALONSO Fri, 08/06/2010 - 04:30
User Badges:

One more question before I try the zone bases approach.  What type of ftp server did you test with?  I did a test with a 2nd router runing a slightly older IOS and got the same results.  In both my cases the ftp server being protected was a Windows server.  Maybe CBAC and Windows ftp don't get along?


Diego

Correct Answer
Kureli Sankar Fri, 08/06/2010 - 19:34
User Badges:
  • Cisco Employee,

Is this issue resolved?


interface FastEthernet0/0
description public IP
ip address 72.17.151.190 255.255.255.224
ip access-group 101 in
ip nat outside
ip inspect firewall out

ip inspect firewall in ------------------------> Pls. add this line as well.


for ftp traffic the user id and password goes over the control channel using tcp 21.You need to allow this via ACL. Inspection will take care of opening the data channel.

For active ftp the server sends the data using the source port tcp 20. Client sends the port command.

In case of passive ftp the server sends the port command and the client connects back to the high port >1024 to receive data.

http://slacksite.com/other/ftp.html#actexample



-KS

DIEGO ALONSO Sat, 08/07/2010 - 06:56
User Badges:

KS, you da man!  Adding that line worked!


Not a big deal if you don't know or don't have time but, why?  All the docs that I have read on CBAC show applying the inspect in one direction only. So why do I need to add it in the "in" direction?  Do I need the "out"?


Thanks,

Diego

Kureli Sankar Sat, 08/07/2010 - 12:37
User Badges:
  • Cisco Employee,

Thanks.

Diego,

When you apply the firewall "OUT" on the interface that is for connections going outbound - from inside hosts to the internet.  This is for connection initiated from the inside.


When your ftp server is on the inside, these connections are coming from the internet inbound to your server. So, you need the firewall "IN" on this outside interface so, the firewall once sees connection inbound it will allow the response to go back out. This is for connections initiated from the internet. I hope it is clear.


Also, you can move the FW that you applied OUT on this interface to the inside interface as IN.  Makes sense?


Both the inside and outside interfaces will have the firewall applied IN on the interface.


-KS

DIEGO ALONSO Sat, 08/07/2010 - 13:59
User Badges:

Thank you for the explantion sir.  It is much appreciated.


Diego

Actions

This Discussion