08-05-2010 05:35 AM - edited 03-11-2019 11:21 AM
I have setup an inbound ACL on the outside interface of my router that allows TCP ports 20 and 21 in and I have a CBAC inspect map with FTP specified on the same interface in an outbound direction. My understanding is that the inspect will check all outbound traffic and dynamically fix the inbound ACL for the client/serve negotiated ports. I have active FTP clients like the command line Windows ftp work, but passive clients like a browser do not.
If I uncheck passive mode on my browser it works further confirming that active FTP works. Ironically, the browser active/passive option says that passive mode is for firewall compatibility!
Any ideas on this? I would really like both to work because I frequently use the command line ftp and most others prefer the browser.
Thanks,
Diego
Solved! Go to Solution.
08-06-2010 07:34 PM
Is this issue resolved?
interface FastEthernet0/0
description public IP
ip address 72.17.151.190 255.255.255.224
ip access-group 101 in
ip nat outside
ip inspect firewall out
ip inspect firewall in ------------------------> Pls. add this line as well.
for ftp traffic the user id and password goes over the control channel using tcp 21.You need to allow this via ACL. Inspection will take care of opening the data channel.
For active ftp the server sends the data using the source port tcp 20. Client sends the port command.
In case of passive ftp the server sends the port command and the client connects back to the high port >1024 to receive data.
http://slacksite.com/other/ftp.html#actexample
-KS
08-05-2010 06:29 AM
hi diego
where is the client and where is the server, i mean with respect to firewall which is on inside and which is on internet
08-05-2010 07:34 AM
The ftp server is behind the firewall on the private and protected network. Clients are hitting the ftp server from the public Internet.
Thanks,
Diego
08-05-2010 07:48 AM
if your active connection are working and passive are not working i can think of only one thing and that is inspect ftp
please make sure that inspect ftp is before inspect tcp other inspect ftp will never work
so this is how it should be
ip inspect name FW ftp
ip inspect name FW tcp
but not the other way
08-05-2010 08:23 AM
Unfortunately, I do have the ftp inspect first. Here is what I have:
ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall tftp
ip inspect name firewall https
ip inspect name firewall icmp
ip inspect name firewall imap
ip inspect name firewall pop3
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall skinny
ip inspect name firewall sip
I took some packet debugs and I can see where the packet is denied when the client begins sending to the negotiated high port. In the debug when the client sends to the servers TCP port 16787 the packet is denied. So it seems like CBAC is not dynamically openning the negotiated ports as it should. I have attached the packet debug if you care to look at it. Maybe I will open a case with the TAC.
Thanks,
Diego
08-05-2010 08:40 AM
please put this command and see the logs and paste them here
ip inspect log drop-packet
also just to confirm taht it is the firewall remove the access-group from the outside interafce so taht you permit everything inside
08-05-2010 09:57 AM
The ip inspect log drop-pkt does not show any packets being dropped. However when I removed the ACL it worked like a champ. So we know it is the ACL but I don't think it is a good idea to open up all the high ports. It just seems that CBAC is not opening up the ports as it should. I would think maybe a bug but I am running a fairly up to date IOS of 12.4(20)T4.
Any ideas?
Thanks,
Diego
08-05-2010 10:40 AM
Can you share with us your interfaces (inside/outside) config, also ACL and cbac config, if you agreed with this, please use examples IP address on your post.
08-05-2010 11:32 AM
08-05-2010 11:34 AM
i know you have already done this and some of my below steps might sound very stupid... but try them they have worked for me
try one more small thing
open only port 20 with your access-list
this should allow passive ftp
if this works then it is the inspection thats not working
trying removing inspection ftp and reapplying
08-05-2010 11:39 AM
Not sure I follow you here. I have currently have both 20 and 21 open. Active is working and passive is not. So you want me to remove 21 and recheck passive?
I will also try removing and reapplyting the inspect command.
Diego
08-05-2010 02:26 PM
Just for testing pursoses. Have you tried to open all IP traffic for that server. Just do it, try it and then close all IP. If it works then we know the problem is with the FTP Inspection.
08-05-2010 02:39 PM
Hi Diego,
We have tried that and it works OK. At this point I am well satisfied that it is the inspection. Now I need to find out if I am doing something wrong, or maybe missing something or maybe just a bug.
Thanks for your input.
Diego
08-05-2010 02:56 PM
Diego,
All CBAC is a Bug. Change to ZOne-Based that is easier to manage and do a better work
08-05-2010 08:31 PM
Never heard of zone-based. Is that available on IOS routers?
diego
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: