06-26-2008 01:55 PM - edited 03-11-2019 06:06 AM
Moving from Checkpoint to ASA. Migrated about 20% of my policies earlier this week and had to back out one. ftps from 10.60.10.205 (inside) destined for 65.217.149.5 (prod-outside). Users got error message 500 Illegal PORT range when entering pasv mode...
220 pw-sftp-cl1.nmhcrx.com FTP server (Version 6.00LS+TLS) ready.
AUTH SSL
234 AUTH SSL command successful.
SSL Session Started.
Host type (1): Automatic detect
USER myuser
331 Password required for myuser.
PASS (hidden)
230 User myuser logged in, access restrictions apply.
SYST
215 UNIX Type: L8
Host type (2): UNIX (standard)
PBSZ 0
200 PBSZ command successful (PBSZ=0).
PROT C
504 PROT command not available in FTP-SSL compatibility mode.
PWD
257 "/" is current directory.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (65,217,149,5,165,146)
connecting data channel to 65.217.149.5:165,146(42386)
PORT 10,60,10,205,11,71
500 Illegal PORT range rejected.
Port failed 500 Illegal PORT range rejected.
QUIT
221 Goodbye.
Connection closed.
Ftp inspection is enabled. Do I need to exclude this from inspection because it is encrypted? If so, how do I handle the data channel and associated dynamic ports?
Tried fixup protocol ftp 21 based upon feedback in another NetPro discussion.
Also modified policy and nat rules to permit both tcp/ftp and tcp/ftp-data.
I'm new to the ASA and not having much luck with TAC. Most recent feedback from TAC "Let me do some research about it since I am not sure if FTPS is supported on ASA firewalls. I will keep you posted." Any suggestions?
Relevant configuration items.
NAT...
access-list inside_nat_outbound_1 extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_12
nat (inside) 10 access-list inside_nat_outbound_1
ACL...
access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings
access-group from-inside in interface inside
(DM_INLINE_TCP_12 and DM_INLINE_TCP_13 object-groups include tcp/ftp and tcp/ftp-data)
Inspection Policy...
access-list mss-exceeded-acl extended permit ip any any inactive
class-map mss-exceeded-map
match access-list mss-exceeded-acl
tcp-map mss-exceeded-map
exceed-mss allow
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
id-randomization
id-mismatch action log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
inspect ils
inspect dns preset_dns_map
inspect ipsec-pass-thru
class mss-exceeded-map
set connection advanced-options mss-exceeded-map
!
service-policy global_policy global
06-26-2008 02:55 PM
try this
no access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings
access-list from-inside extended permit ip net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com
access-group from-inside in interface inside
06-26-2008 03:05 PM
Unfortunately my user and their login credentials have left for the day. I'll try tomorrow am EST. Unsure this will make any difference. I'm not seeing any drops in the logs.
06-27-2008 11:50 AM
It appears outbound request for data channel is being blocked. The server side randomly assigns a high port in pasv mode. My client then attempts to connect on this high port and is being blocked. FTP inspection would normally pick this up and allow the high port. It doesn't work here because all of the payload is encrypted. Interim fix is allow all ip outbound to this particular destination. Not really a good long term solution. Any better suggestions out there?
06-27-2008 02:09 PM
"Moving from Checkpoint to ASA." That's a mistake if you asked me.
You will lose a lot of functions in Checkpoint that you have taken
for granted. Then again, it may be a corporate decision that you
do not have a choice.
1- you do not need to allow all IP outbound to this particular
destination. You just need to allow tcp high-ports to this
destination, not IP,
2- Ask the folks on the other end if they can restrict the
number of tcp high-ports that FTPs can assign. This can
be done very easily on both Microsoft IIS Server and vsFTPd
server for Linux. In vsFTPd, check the vsftpd.conf file and
you will see it there. Normally, you want to restrict the
ftp-data ports in pasv mode between 2000 and 2100.
Easy right?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: