FTP Traffic Inspection

Unanswered Question
Sep 19th, 2010

Hello Security Expert Team,

I am using the Cisco ASA 5510/ver 8.2(1) and I am doing some the basic deep inspection for FTP traffic config:

begin:

!

regex REG_C26XX "^c26.*"
regex REG_C28XX "^c28.*"

!

class-map FTP
match port tcp eq ftp

!

class-map type regex match-any deny_files
match regex RE_C26XX
match regex RE_C28XX

!

class-map type inspect ftp match-all deny_commands
match request-command site dele rmd

!

policy-map type inspect ftp ftp_inspect
parameters
  mask-banner

  mask-syst-reply
match filename regex class deny_files
  reset
class deny_commands
  reset

!

policy-map outside

class FTP
  inspect ftp strict ftp_inspect
!

service-policy outside interface outside

!

test regex c2600.bin ^c26.*

!
end

And I did some test in this case:

1. I have Connected to FTP Server

2. I have got successfully the c2600.bin file

3. show service-policy interface outside inspect  ftp ( I didn't see drop/reset packets here)

I have double-checked running configuration and I did not know why ? Could you please help me to find out this issue in thic case?

Thank you very much,

Tran

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Sun, 09/19/2010 - 00:51

Hello,

Seems like you matched wrong REGEX list.

regex REG_C26XX "^c26.*"
regex REG_C28XX "^c28.*"

!

class-map type regex match-any deny_files
match regex RE_C26XX
match regex RE_C28XX

You are missing the character "G" in the match statements. Can you fix that and see if that helps?

Regards,

NT

Hanh Nguyen Sun, 09/19/2010 - 00:58

The wrong Cut & Paste in this discussion but the running-configuration in the ASA is correct and that the reson why I must ask expert team Thanks

Nagaraja Thanthry Sun, 09/19/2010 - 01:07

Hello,

Can you try the following:

class-map type regex match-any deny_files
match filename regex REG_C26XX
match filename regex REG_C28XX

Hope this helps.

Regards,

NT

Hanh Nguyen Sun, 09/19/2010 - 01:28

Hello,

I did it in this case before by created access-list with range port 21 22 but I am still got the same issue. You can try

regards,

Hanh Nguyen Sun, 09/19/2010 - 01:29

Hello,

I did it in this case before by created access-list with range port 20 21 but I am still got the same issue. You can try

regards,

praprama Sun, 09/19/2010 - 01:35

Hi,

What kind of FTP connection are you testing using? Active or Passive? If it's Active then access-list on pirt 20 makes sense. But if you are trying using passive FTP, the data connection will be on a random negotiated port. That is why i had suggested an access-list with all TCP traffic to the FTP server without an ports as below:

access-list FTP match tcp any host a.b.c.d

class-map FTP

no  match port tcp eq ftp

match access-list FTP

Please try this out and see if it works. Also, please paste the output of show service-policy.

Regards,

Prapanch

Hanh Nguyen Sun, 09/19/2010 - 02:47

Hello Prapanch,

Client-------------(out)(ASA)(dmz)-------------FTP_Server

FTP_Srv (support both Act/Pass Mode):

For Active Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------DATA OK Port:2030-------->

DATA Port: 2030  <-----------Data Channel--------------- DATA PORT:20


For Passive Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------Passive OK Port:2020--------

  DATA Port:2030  -----------Data Channel---------------> DATA PORT:2020

As my understanding, The ASA is stateful inspection/Multi-packets technology and I think that the ASA is enough smart to inspect sub-connection   and As your mentioned I must create access-list to classify once again for Data Channel in the both Active/Passive mode in this case. It seem the best answer , and I will do it tomorrow and give the result to you. Thank you very much

Regards,

Tran

Hanh Nguyen Sun, 09/19/2010 - 19:16

Hello Prapanch,

Client-------------(out)(ASA)(dmz)-------------FTP_Server

FTP_Srv (support both Act/Pass Mode):

For Active Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------DATA OK Port:2030-------->

DATA Port: 2030  <-----------Data Channel--------------- DATA PORT:20


For Passive Mode:

Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
                          
                          <---------Passive OK Port:2020--------

  DATA Port:2030  -----------Data Channel---------------> DATA PORT:2020

As  my understanding, The ASA is stateful inspection/Multi-packets  technology and I think that the ASA is enough smart to inspect  sub-connection

and As your mentioned I must create access-list to classify once again  for Data Channel in the both Active/Passive mode in this case.

access-list FTP match tcp any host a.b.c.d

class-map FTP

no  match port tcp eq ftp

match access-list FTP

As your mentioned, I did it:

access-list FTP permit tcp any any (for test deep inspection in this case)

class-map FTP

no match port tcp eq ftp

match access-list FTP

!

It didn't work correctly

ASA# sh service-policy interface outside ins ftp

Interface outside:
  Service-policy: outside
    Class-map: http_from_outside
    Class-map: FTP
      Inspect: ftp strict ftp_inspect, packet 316, drop 76, reset-drop 0
               Retx cmd in cmd mode drop        64
               Cmd in reply mode drop           12
        mask-banner enabled
        mask-syst-reply enabled
        match filename regex class deny_files  --------------> didn't see packets
          reset log, packet 0
        class deny_commands
          reset, packet 0
    Class-map: smtp_server
ASA#

regards,

Tran

praprama Mon, 09/20/2010 - 05:48

Hey Tran,

Just wanted to confirm. Have you tested the filename c2600.bin agains the regex you have configured? Also, please try testing the filename c2600 against the regex configured. Just wanna ocnfirm we have the regex configured right.

Also, can you please get the captures of the entire FTP session in a .pcap format from the ASA? Would like to see the exact parameters being sent by the client. For configuring captures, pelase refer the below document:

https://supportforums.cisco.com/docs/DOC-1222

Thanks and Regards,

Prapanch

praprama Sun, 09/19/2010 - 01:12

Hey,

The reason could be because of the below config:

class-map FTP
match port tcp eq ftp

policy-map outside

class FTP

  inspect ftp strict  ftp_inspect

So in the above case, we are matching traffic on port TCP/21 (due to the command match port tcp eq ftp). All the filenames and commands will i guess be exchanged in the "data connection" and not in the "control connection" which is TCP/21. The port for data connection depends on what type of FTP we are using, that is, active or passive. So the best option is to apply an access-list to the FTP server.

Try changing the config to something like below:

Assuming the FTP server's IP address is a.b.c.d

access-list FTP match tcp any host a.b.c.d

class-map FTP

no match port tcp eq ftp

match access-list FTP

Try this out and let me know how it goes!!

Regards,

Prapanch

Hanh Nguyen Sun, 09/19/2010 - 01:24

Hello,

The keyword "filename" didn't see in the syntax: class-map type regex match-any deny_files

Regards,

Tran

hiraldoshi Mon, 11/08/2010 - 08:51

Can you guys tell me what is C26, C28. I am not able to find anything on the web with that reference. Is it something to do with file names??

Thanks!

Actions

This Discussion