04-06-2011 05:45 AM - edited 03-04-2019 11:59 AM
Hi Friends,
I am configuring ZBFW.I am trying to configure FTP Server access from Internet. That is Internet users will access the FTP Server which is placed behind the ZBFW router (Cisco 2911).
I configured as below
class-map type inspect TEST
match protocol ftp
match access-group name TEST-ACL
ip access-list extended TEST-ACL
permit ip any host z.y.a.b
But i am able to login to FTP server using cmd prompt (c:> ftp x.y.a.b). But not able to list the File directories. Then i found that it is the control channel issues (FTP Port 20)
Generally it is solved by FIXUP commands in ASA/PIX. How it is handled in IOS Firewall
Thanks in advance
sairam
04-06-2011 06:31 AM
Hi,
This is done with the inspect clause in your policy-map for the class-map TEST and applying this policy with source zone where the client is and destination zone where the server is.
Regards.
Alain.
04-06-2011 02:17 PM
Hello Sairam,
I would say it is related to active or passive FTP
on ftp prompt on shell try to use pasv if it is permitted by FTP server to change to passive mode in this way both control connection and data connection should start from the same side.
Hope to help
Giuseppe
04-07-2011 12:13 AM
Hi Giuseppe / Alain,
Thanks for your time.
Before writing this post Infact I tried to capture the traffic in both Client and FTP server and understood that this is a issue with PASV & ACTIVE logic in FTP Server.My FTP Server which is kept behind the ZBFW.
In ASA/PIX or any other firewall, this intelligent is by default enabled and I dont face such issues like this.
I applied the class-map policy as below
policy-map type inspect TEST
class-map type inspect TEST
inspect
Then applied the service policy as you also told.
Should i do any thing else other than this to bring application intelligence for FTP application (Control & Data channel)
Thanks
sairam
04-07-2011 01:25 AM
Hi,
Should i do any thing else other than this to bring application intelligence for FTP application (Control & Data channel)
It's still not working? Can you put this command in global config: ip inspect log drop-pkt and enable console logging then try and post output of log message.
Regards.
Alain.
04-09-2011 12:09 AM
Hi Alain,
I like to mention here an interesting fact. In original setup which i was discussing, was experimented in IOS Version 15.0(1)M3
I tested this same scenario using IOS version 12.4(15)T5 & found that it is working. The same configuration is below
class-map type inspect match-any CLIENT-SRV
match protocol icmp
match protocol ftp
class-map type inspect match-all CLIENT-SRV-TRAFFIC
match access-group name CLIENT-SRV
match class-map CLIENT-SRV
!
!
policy-map type inspect CLIENT-SRV-TRAFFIC
class type inspect CLIENT-SRV-TRAFFIC
inspect class class-default
drop log
!
zone security CLIENT-SRV zone security SRV-CLIENT
zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT
service-policy type inspect CLIENT-SRV-TRAFFIC
It is working with IOS 12.4 and not working in IOS 15.0(1)
ANY CLUES SIR???
regards,
sairam
04-09-2011 12:29 AM
Hi
In previous post I missed some lines. Please use this config pasted below
class-map type inspect match-any CLIENT-SRV
match protocol icmp
match protocol ftp
class-map type inspect match-all CLIENT-SRV-TRAFFIC
match access-group name CLIENT-SRV
match class-map CLIENT-SRV
!
policy-map type inspect CLIENT-SRV-TRAFFIC
class type inspect CLIENT-SRV-TRAFFIC
inspect class class-default
drop log
!
zone security CLIENT-SRV
zone security SRV-CLIENT
zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT
service-policy type inspect CLIENT-SRV-TRAFFIC
zone-pair security SRV-CLIENT source SRV-CLIENT destination CLIENT-SRV
service-policy type inspect SRV-CLIENT
interface FastEthernet0/1
description #### FTP-CLIENT #####
ip address 192.168.1.5 255.255.255.0
zone-member security CLIENT-SRV
!
interface FastEthernet0/0
description #### FTP SERVER ###
ip address 172.16.1.1 255.255.255.0
zone-member security SRV-CLIENT
sairam
04-10-2011 01:59 AM
Hi,
zone-pair security SRV-CLIENT source SRV-CLIENT destination CLIENT-SRV
service-policy type inspect SRV-CLIENT
Can you try without this and otherwise can you post sh policy-map type inspect
Regards.
Alain.
04-10-2011 04:20 AM
Hi Alain,
I cannot remove the Zone-pair statement in the Router as many other policy-map is binded to that and this Router is my Gateway router.
In test environment i can do that, but i have only 12.4 IOS routers in test environment and not IOS 15.0 for testing.In fact, i removed this line from the configuration when i was working with 12.4 IOS. No problem, the setup is woking fine
Working configuration (working only in 12.4)
class-map type inspect match-any CLIENT-SRV match protocol icmp match protocol ftp class-map type inspect match-all CLIENT-SRV-TRAFFIC match access-group name CLIENT-SRV match class-map CLIENT-SRV ! ! policy-map type inspect CLIENT-SRV-TRAFFIC class type inspect CLIENT-SRV-TRAFFIC inspect class class-default drop log ! zone security CLIENT-SRV zone security SRV-CLIENT zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT service-policy type inspect CLIENT-SRV-TRAFFIC |
Any problem / bug with IOS 15.0 (I am not seeing any known bug description in CISCO BUG TOOLKIT)
regards,
sairam
05-18-2011 07:08 AM
Hi There,
I too am having quite a lot of trouble with FTP and also running 15.0(1r)M1.
I have narrowed this down to clinets using ESVP (Extended Passive Mode) and IOS doens't seem to track this properly, However not having full control over all clients its kinda useless information.
So if any one else has fixed / shed any light on this that would be great.
Regards
-Olly
02-23-2012 09:43 PM
I know it's an old thread but it's marked as Not Resolved, and I too am having this problem and can't seem to figure it out. I'm also using 15.0(1)M7, and everything looks right to me. Perhaps some fresh eyes can spot something I glaze over.
I get this in the log on the 877 when I try to connect with Firefox externally. It points to the passive ports being the problem, but I've got everything in the config that i think looks correct. Perhaps it's a bug in this IOS release, but i couldn't find anything, and when I'm on the local network i can connect to the FTP server with out problem
Feb 24 14:53:06.744: %FW-3-FTP_NON_MATCHING_IP_ADDR: (target:class)-(ZP_UNTRUST_TRUST:INBOUND_SERVICES_to_TRUST-classmap):Non-matching address 60.213.14.217 used in PASV response -- FTP client 203.31.22.138 FTP server 192.168.0.200
I think it’s something to do with the passive ports, but from my understanding if you are using default FTP ports and you inspect ftp traffic then the zone based firewall monitors the state and applies the relevant Application Layer Gateway changes required to the payload.
ip port-map user-FTP_WEB-1122 port tcp 1122 description FTP SSL_WEB IN
ip cef
!
----This is the class map to match ftp traffic to the FTP Server
class-map type inspect match-any FTP_SERVICES-classmap
match protocol ftp
match protocol user-FTP_WEB-1122
------This is the class map to match the services and only allow the access list 110 destination which is the ip address of the internal FTP server
class-map type inspect match-all INBOUND_SERVICES_FTP-classmap
match class-map FTP_SERVICES-classmap
match access-group 110
------ Just another inbound service to another server
class-map type inspect match-all INBOUND_E4300-classmap
match protocol user-E4300
match access-group 111
----- This is the class map that is bound to the Policy-Map UNTRUST_TRUST- policymap to allow the inbound FTP connections
class-map type inspect match-any INBOUND_SERVICES_to_TRUST-classmap
match class-map INBOUND_E4300-classmap
match class-map INBOUND_SERVICES_FTP-classmap
class-map type inspect match-all INVALID_SRC-classmap -----IP Spoofing protection
match access-group 109
!
----- This policy map is bound to the Zone Pair of Untrust to Trust
policy-map type inspect UNTRUST_TRUST-policymap
class type inspect INVALID_SRC-classmap ---- IP spoofing protection
drop
class type inspect INBOUND_SERVICES_to_TRUST-classmap ---- classmap that includes the FTP match statement
inspect
class class-default
drop
!
!
zone security TRUST
zone security UNTRUST
----- Zone Pair to allow internal clients access to the internet
zone-pair security ZP_TRUST-UNTRUST source TRUST destination UNTRUST
service-policy type inspect TRUST_UNTRUST-policymap
----- Zone Pair to allow clients on the internet access to the FTP server
zone-pair security ZP_UNTRUST_TRUST source UNTRUST destination TRUST
service-policy type inspect UNTRUST_TRUST-policymap
!
!
!
!
interface Vlan11
description INSIDE
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
zone-member security TRUST ---- interface Vlan11 is in the Trust zone
!
interface Dialer0
description OUTSIDE
ip address negotiated
ip mtu 1492
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security UNTRUST ----- Dialer0 interface is in the Untrust zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
!
ip forward-protocol nd
!
ip nat inside source list 1 interface Dialer0 overload ---- NAT statement to allow internal clients access to the internet
ip nat inside source static tcp 192.168.0.200 1122 interface Dialer0 1122
-----Below is the NAT statement to allow traffic inbound on port 21 to the public IP of the dialer0 interface to be forwarded to port 21 of the internal FTP server, 192.168.0.200
ip nat inside source static tcp 192.168.0.200 21 interface Dialer0 21
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 1 permit 192.168.0.0 0.0.0.255 ----- NAT ACL to allow internal clients access to the internet
access-list 109 permit ip host 255.255.255.255 any
access-list 109 permit ip 127.0.0.0 0.255.255.255 any
access-list 109 permit ip 10.0.0.0 0.255.255.255 any
access-list 109 permit ip 172.16.0.0 0.15.255.255 any
access-list 109 permit ip 192.168.0.0 0.0.255.255 any
---- Below is the ACL 110 that the classmap “INBOUND_SERVICES_FTP-classmap” uses to only allow inbound FTP inspection to the FTP server ip 192.168.0.200
access-list 110 permit ip any host 192.168.0.200
access-list 111 permit ip any host 192.168.0.1
dialer-list 1 protocol ip permit
Any help would be much appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide