Zone Based Firewall - Fixup command equivalent

Unanswered Question
Apr 6th, 2011

Hi Friends,

I am configuring ZBFW.I am trying to configure FTP Server access from Internet. That is Internet users will access the FTP Server which is placed behind the ZBFW router (Cisco 2911).

I configured as below

class-map type inspect TEST
match protocol ftp
match access-group name TEST-ACL

ip access-list extended TEST-ACL
permit ip any host z.y.a.b

But i am able to login  to FTP server using cmd prompt (c:> ftp x.y.a.b). But not able to list the File directories. Then i found that it is the control channel issues (FTP Port 20)

Generally it is solved by FIXUP commands in ASA/PIX. How it is handled in IOS Firewall

Thanks  in advance

sairam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Cadet Alain Wed, 04/06/2011 - 06:31

Hi,

This is done with the inspect clause in your policy-map for the class-map TEST and applying this policy with source zone where the client is and destination zone where the server is.

Regards.

Alain.

Giuseppe Larosa Wed, 04/06/2011 - 14:17

Hello Sairam,

I would say it is related to active or passive FTP

on ftp prompt on shell try to use pasv if it is permitted by FTP server to change to passive mode in this way both control connection and data connection should start from the same side.

Hope to help

Giuseppe

snarayanaraju Thu, 04/07/2011 - 00:13

Hi Giuseppe / Alain,

Thanks for your time.

Before writing this post Infact I tried to capture the traffic in both Client and FTP server and understood that this is a issue with PASV & ACTIVE logic in FTP Server.My FTP Server which is kept behind the ZBFW.


In ASA/PIX or any other firewall, this intelligent is by default enabled and I dont face such issues like this.

I applied the class-map policy as below

policy-map type inspect TEST
class-map type inspect TEST
inspect

Then applied the service policy as you also told.

Should i do any thing else other than this to bring application intelligence for FTP application (Control & Data channel)

Thanks

sairam

Cadet Alain Thu, 04/07/2011 - 01:25

Hi,

Should i do any thing else other than this to bring application intelligence for FTP application (Control & Data channel)

It's still not working?  Can you put this command in global config: ip inspect log drop-pkt and enable console logging then try and post output of log message.

Regards.

Alain.

snarayanaraju Sat, 04/09/2011 - 00:09

Hi Alain,

I like to mention here an interesting fact. In original setup which i was discussing, was experimented in IOS Version 15.0(1)M3

I tested this same scenario using IOS version 12.4(15)T5 & found that it is working. The same configuration is below

class-map type inspect match-any CLIENT-SRV

  match protocol icmp

  match protocol ftp

class-map type inspect match-all CLIENT-SRV-TRAFFIC

  match access-group name CLIENT-SRV

  match class-map CLIENT-SRV

!

!

policy-map type inspect CLIENT-SRV-TRAFFIC

   class type inspect CLIENT-SRV-TRAFFIC

   inspect class class-default

   drop log

!

zone security CLIENT-SRV zone security SRV-CLIENT

zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT

service-policy type inspect CLIENT-SRV-TRAFFIC

It is working with IOS 12.4 and not working in IOS 15.0(1)

ANY CLUES SIR???

regards,

sairam

snarayanaraju Sat, 04/09/2011 - 00:29

Hi

In previous post I missed some lines. Please use this config pasted below

class-map type inspect match-any CLIENT-SRV
  match protocol icmp
  match protocol ftp
class-map type inspect match-all CLIENT-SRV-TRAFFIC
  match access-group name CLIENT-SRV
  match class-map CLIENT-SRV
!
policy-map type inspect CLIENT-SRV-TRAFFIC
   class type inspect CLIENT-SRV-TRAFFIC
   inspect class class-default
   drop log
!
zone security CLIENT-SRV
zone security SRV-CLIENT
zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT
service-policy type inspect CLIENT-SRV-TRAFFIC
zone-pair security SRV-CLIENT source SRV-CLIENT destination CLIENT-SRV
service-policy type inspect SRV-CLIENT

interface FastEthernet0/1
description ####  FTP-CLIENT #####
ip address 192.168.1.5 255.255.255.0
zone-member security CLIENT-SRV
!
interface FastEthernet0/0
description #### FTP SERVER ###
ip address 172.16.1.1 255.255.255.0
zone-member security SRV-CLIENT

sairam

Cadet Alain Sun, 04/10/2011 - 01:59

Hi,

zone-pair security SRV-CLIENT source SRV-CLIENT destination CLIENT-SRV
service-policy type inspect SRV-CLIENT

Can you try without this and otherwise can you post sh policy-map type inspect

Regards.

Alain.

snarayanaraju Sun, 04/10/2011 - 04:20

Hi Alain,

I cannot remove the Zone-pair statement in the Router as many other policy-map is binded to that and this Router is my Gateway router.

In test environment i can do that, but i have only 12.4 IOS routers in test environment and not IOS 15.0 for testing.In fact, i removed this line from the configuration when i was working with 12.4 IOS. No problem, the setup is woking fine

Working configuration (working only in 12.4)

class-map type inspect match-any CLIENT-SRV
match protocol icmp
match protocol ftp
class-map type inspect match-all CLIENT-SRV-TRAFFIC
match access-group name CLIENT-SRV
match class-map CLIENT-SRV
!
!
policy-map type inspect CLIENT-SRV-TRAFFIC
class type inspect CLIENT-SRV-TRAFFIC
  inspect
class class-default
  drop log
!
zone security CLIENT-SRV
zone security SRV-CLIENT
zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT
service-policy type inspect CLIENT-SRV-TRAFFIC

Any problem / bug with IOS 15.0 (I am not seeing any known bug description in CISCO BUG TOOLKIT)

regards,

sairam

olly.lawrence Wed, 05/18/2011 - 07:08

Hi There,

I too am having quite a lot of trouble with FTP and also running 15.0(1r)M1.

I have narrowed this down to clinets using ESVP (Extended Passive Mode) and IOS doens't seem to track this properly, However not having full control over all clients its kinda useless information.

So if any one else has fixed / shed any light on this that would be great.

Regards

-Olly

andysuggars Thu, 02/23/2012 - 21:43

I know it's an old thread but it's marked as Not Resolved, and I too am having this problem and can't seem to figure it out. I'm also using 15.0(1)M7, and everything looks right to me. Perhaps some fresh eyes can spot something I glaze over.

I get this in the log on the 877 when I try to connect with Firefox externally. It points to the passive ports being the problem, but I've got everything in the config that i think looks correct. Perhaps it's a bug in this IOS release, but i couldn't find anything, and when I'm on the local network i can connect to the FTP server with out problem

Feb 24 14:53:06.744: %FW-3-FTP_NON_MATCHING_IP_ADDR: (target:class)-(ZP_UNTRUST_TRUST:INBOUND_SERVICES_to_TRUST-classmap):Non-matching address 60.213.14.217 used in PASV response  -- FTP client 203.31.22.138  FTP server 192.168.0.200

I think it’s something to do with the passive ports, but from my understanding if you are using default FTP ports and you inspect ftp traffic then the zone based firewall monitors the state and applies the relevant Application Layer Gateway changes required to the payload.

ip port-map user-FTP_WEB-1122 port tcp 1122 description FTP SSL_WEB IN

ip cef   

!

----This is the class map  to match ftp traffic to the FTP Server

class-map type inspect match-any FTP_SERVICES-classmap

match protocol ftp

match protocol user-FTP_WEB-1122

------This is the class map to match the services and only allow the access list 110 destination which is the ip address of the internal FTP server

class-map type inspect match-all INBOUND_SERVICES_FTP-classmap

match class-map FTP_SERVICES-classmap

match access-group 110

------ Just another inbound service to another server

class-map type inspect match-all INBOUND_E4300-classmap

match protocol user-E4300

match access-group 111

----- This is the class map that is bound to the Policy-Map UNTRUST_TRUST- policymap to allow the inbound FTP connections

class-map type inspect match-any INBOUND_SERVICES_to_TRUST-classmap

match class-map INBOUND_E4300-classmap

match class-map INBOUND_SERVICES_FTP-classmap

class-map type inspect match-all INVALID_SRC-classmap  -----IP Spoofing protection

match access-group 109

!

----- This policy map is bound to the Zone Pair of Untrust to Trust

policy-map type inspect UNTRUST_TRUST-policymap

class type inspect INVALID_SRC-classmap ---- IP spoofing protection

  drop   

class type inspect INBOUND_SERVICES_to_TRUST-classmap   ---- classmap that includes the FTP match statement

  inspect

class class-default

  drop

!

!

zone security TRUST

zone security UNTRUST

----- Zone Pair to allow internal clients access to the internet

zone-pair security ZP_TRUST-UNTRUST source TRUST destination UNTRUST

service-policy type inspect TRUST_UNTRUST-policymap

----- Zone Pair to allow clients on the internet access to the FTP server

zone-pair security ZP_UNTRUST_TRUST source UNTRUST destination TRUST

service-policy type inspect UNTRUST_TRUST-policymap

!

!

!

!

interface Vlan11

description INSIDE

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

zone-member security TRUST ---- interface Vlan11 is in the Trust zone

!

interface Dialer0

description OUTSIDE

ip address negotiated

ip mtu 1492

ip nat outside

ip nat enable

ip virtual-reassembly

zone-member security UNTRUST ----- Dialer0 interface is in the Untrust zone

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

!

ip forward-protocol nd

!

ip nat inside source list 1 interface Dialer0 overload ---- NAT statement to allow internal clients access to the internet

ip nat inside source static tcp 192.168.0.200 1122 interface Dialer0 1122

-----Below is the NAT statement to allow traffic inbound on port 21 to the public  IP of the dialer0 interface to be forwarded to port 21 of the internal FTP server, 192.168.0.200

ip nat inside source static tcp 192.168.0.200 21 interface Dialer0 21

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

access-list 1 permit 192.168.0.0 0.0.0.255  ----- NAT ACL to allow internal clients access to the internet

access-list 109 permit ip host 255.255.255.255 any

access-list 109 permit ip 127.0.0.0 0.255.255.255 any

access-list 109 permit ip 10.0.0.0 0.255.255.255 any

access-list 109 permit ip 172.16.0.0 0.15.255.255 any

access-list 109 permit ip 192.168.0.0 0.0.255.255 any

---- Below is the ACL 110 that the classmap “INBOUND_SERVICES_FTP-classmap” uses to only allow inbound FTP inspection to the FTP server ip 192.168.0.200

access-list 110 permit ip any host 192.168.0.200

access-list 111 permit ip any host 192.168.0.1

dialer-list 1 protocol ip permit

Any help would be much appreciated

Actions

Login or Register to take actions

This Discussion

Posted April 6, 2011 at 5:45 AM
Stats:
Replies:10 Avg. Rating:5
Views:1034 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard