Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Active FTP works, not passive

Hello CCIEs or not,

On my 2821 ISR IOS Firewall 12.4(24T2), since I added a new ISP and then nat inside source route-maps, inside FTP clients successfully connect to outside servers using active FTP but no more with previous passive mode.

Many debugs were done: FTP server can't answer to LIST command outside acl rejects Syn/Ack packet because client's source port is not opened

I give you :

relevant config lines

Ios Debugs and packet capture

I also tried to add separate Nat pool with route-map but did not succeed

Relevant Config:

ip inspect name Cbac tcp router-traffic
ip inspect name Cbac ftp

interface GigabitEthernet0/0
ip address L.L.L.5 255.255.255.0
ip access-group Acl_Inside in
ip wccp web-cache redirect in
ip inspect Cbac out
ip nat inside
no ip virtual-reassembly
ip policy route-map Rm_Inside
duplex auto
speed auto
!
interface FastEthernet0/0/3
switchport mode trunk
!
interface Vlan304
ip address 10.10.8.250 255.255.255.0
ip access-group Acl_Outside in
ip inspect Cbac out
ip nat outside
ip virtual-reassembly
!
router eigrp 1
redistribute connected
passive-interface default
no passive-interface GigabitEthernet0/0
network L.L.L.0 0.0.0.255
auto-summary
!
ip forward-protocol nd
ip route M.M.M.M 255.255.255.255 10.10.8.251
ip nat inside source route-map Rm_Nat_NC interface Vlan304 overload

ip access-list extended Acl_Inside
....
permit tcp object-group OGn_FTP object-group OGn_Externe eq ftp

ip access-list extended Acl_Outside
permit icmp any any
deny   ip any any log
!
ip access-list extended Acl_Rm_Ftp
permit tcp host 172.16.3.3 object-group OGn_Externe eq ftp ftp-data
permit tcp host 172.16.3.3 object-group OGn_Externe gt 1024
!
route-map Rm_Inside permit 10
match ip address Acl_Rm_Ftp
set ip next-hop 10.10.8.251
set interface Vlan304
!
route-map Rm_Nat_NC_Ftp permit 10
match ip address Acl_Rm_Ftp
match interface Vlan304

Any help would be greatly appreciated

Thanks

2 REPLIES
Community Member

Re: Active FTP works, not passive

The captures show out of order packet for the data connection. Do you have simultaneous captures on the outside and inside interface of the firewall?

show ip inspect session detail

ip inspect audit-trail

Can you gather the output of the above show command while you try to recreate the issue and also the syslogs after enbling audit trail?

Tanveer Dewan

tdeewan@cisco.com

Community Member

Re: Active FTP works, not passive

hello Tanveer,

I changed my config to the following and now both Active and Passive FTP work, but I can't explain nor test furthermore (users wil complain).

Main changes were to have only one route-map using 2 acls for inside G0/0, Dmz G0/1 Pbrs and for Nat Inside - outside, so it's simplier.

also noticed that :

- if I add or modify ACE lines, and clear Nat translations, I have to reload router because it doesnt works properly.

- other protocols do not support load-balancing: pop3, pptp/gre so I include them in acl route-map

interface GigabitEthernet0/0
ip address I.I.I.255.255.255.0
ip access-group Acl_Inside in
ip wccp web-cache redirect in
ip inspect Cbac out
ip nat inside
no ip virtual-reassembly
ip policy route-map Rm_NC

interface GigabitEthernet0/1
ip address L.L.L.254 255.255.255.0
ip nat inside
ip policy route-map Rm_NC

interface Vlan303
ip address 10.10.7.1 255.255.255.0
ip access-group Acl_Outside in
ip inspect Cbac out
ip virtual-reassembly

interface Vlan304
ip address 10.10.8.250 255.255.255.0
ip access-group Acl_Outside in
ip inspect Cbac out
ip nat outside
ip virtual-reassembly

ip route M.M.M.M 255.255.255.255 10.10.8.251

ip nat inside source route-map Rm_Nat_NC interface Vlan304 overload

ip access-list extended Acl_Rm_Dmz
permit ip host D.D.D..2 object-group OGn_Externe

ip access-list extended Acl_Rm_Inside
permit tcp object-group OGn_FTP object-group OGn_Externe eq ftp ftp-data
permit tcp object-group OGn_FTP object-group OGn_Externe gt 1024

permit tcp object-group OGn_MailOut object-group OGn_Externe eq pop3 smtp 995 465
permit gre host L.L.L.20 host
permit tcp host L.L.L.20 host eq 1723
.....

route-map Rm_Nat_NC permit 10
match ip address Acl_Rm_Inside Acl_Rm_Dmz
match interface Vlan304
!
route-map Rm_NC permit 10
match ip address Acl_Rm_Inside Acl_Rm_Dmz
set ip next-hop verify-availability 10.10.8.251 1 track 7
set ip next-hop verify-availability 10.10.7.254 2 track 3

regards

Alain

2816
Views
0
Helpful
2
Replies
CreatePlease to create content