Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring an FTP Server behind Cisco

I'm trying to configure Serv-U to run in passive mode behind a Cisco ASA 5505. What is the proper way to do this?

44 REPLIES
Cisco Employee

Re: Configuring an FTP Server behind Cisco

A static NAT entry to reach the FTP server, "inspect ftp" in the policy-map, and allow access to the FTP server in the access list is all you should need.

static (inside,outside)

access-list outside_in permit tcp any host eq ftp

access-group outside_in in interface outside

...

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

...

service-policy global_policy global

Can also be done if using PAT instead of NAT. Just change the ACL and the static to use the interface:

access-list outside_in permit tcp any interface outside eq ftp

static (inside,outside) tcp interface ftp

Hope this helps.

Cheers,

Eloy Paris.-

New Member

Re: Configuring an FTP Server behind Cisco

I'm concerned about the passive part of my request. Can you expand on how that will work?

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea?

Silver

Re: Configuring an FTP Server behind Cisco

Let understand this:

1- Pix/ASA can NOT allow ONLY passive FTP through the firewall

if there is NAT involved. This is NOT possible.

For example, if you have Linux vsftpd running behind the firewall

serving both Active/Passive. Let say that your objective

is to allow both Active and Passive FTP for users on the inside

network; however, you want the firewall to allow ONLY passive

ftp from users from the outside (i.e. Internet).

Let say the IP address of the Linux vsFTPd server is 192.168.1.1.

Let say that this server is NAT'ed to 1.1.1.1 by the pix firewall:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

In this scenario, Pix can NOT do this. In this scenario, you have

NO choice but to enable "fixup protocol ftp 21". If you turn

OFF ftp inspection, nothing will work.

For situation like this, you need firewalls other than Cisco.

Cisco Employee

Re: Configuring an FTP Server behind Cisco

Of course; nobody is saying that fixup protocol ftp 21 (or inspect ftp in newer PIX code) is not necessary. Without the firewall doing deep packet inspection of FTP traffic dynamic holes can't be opened in the access list for return traffic so nothing will work.

I am actually don't fully understand what you are saying: on the one hand you say that it is not possible but if you turn on fixup that it will. On the other hand you are saying that you may need firewalls other than Cisco, which I guess means you think it will not work. So I am puzzled.

Any firewall needs to inspect the FTP control connection to be able to determine what hole to poke on the access list. What is it that you say other firewalls do different than Cisco's?

Cheers,

Eloy Paris.-

Silver

Re: Configuring an FTP Server behind Cisco

This is what I understand:

Linux_FTP_server---(i)--Pix--(o)---FTP_client

FTP server is serving both Active/Passive FTP.

FTP server is 192.168.1.10/24. Pix inside IP

is 192.168.1.1/24. Pix outside ip address is

1.1.1.1/24. FTP_client is 1.1.1.2/24. FTP_client

connects to FTP server via ip address of 1.1.1.10.

Requirements:

Allow ONLY Passive FTP through the Pix firwewall.

Active FTP will NOT be allowed through the Pix

firewall. In other words, Active FTP connection

will be dropped by the Pix firewall.

static (i,o) 1.1.1.10 192.168.1.10 netmask 255.255.255.255

access-list External permit ip any any log

access-group External in interface outside

Pix/ASA can NOT do this.

Other firewalls vendors such as Checkpoint have the capability

to allow ONLY passive FTP through the firewall with NAT. I

think Netscreen can do this too but I can't confirm because

I have not touched Netscreen in eight months.

Make sense?

New Member

Re: Configuring an FTP Server behind Cisco

Thanks for this post!! I've been fighting with FTP for a few days now. I've been using names for Network Objects to add easier reading to Destination Access Rules and NAT Rules Sources. Your post above stating specifically got me thinking. So I removed all the Names (as they are optional) and used only the IP addrs and it worked!!

Running 5510 ASA 8.0(2) ASDM 6.1(1).

Thanks!!

ERIN

New Member

Re: Configuring an FTP Server behind Cisco

My objective is to allow both Active and Passive SSH/SSL/HTTPS FTP to make it easier on my non-technical ftp clients. Thoughts on that? Would I need to do the "fixup"? I'm not sure what that is. I'm a Juniper GUI guy, sorry.

Rhinosoft, the maker of Serv-U, says that the reason I can only connect with Active is due to a misconfigured Cisco ASA 5505 sitting in front of it.

I have my IP and ports routed correctly as far as I can tell:

access-list INBOUND extended permit tcp any host x.x.x.35 eq 3389

access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp

access-list INBOUND extended permit tcp any host x.x.x.35 eq ftp-data

access-list INBOUND extended permit tcp any host x.x.x.35 eq https

access-list INBOUND extended permit tcp any host x.x.x.35 eq ssh

access-list INBOUND extended permit tcp any host x.x.x.35 eq 990

access-list INBOUND extended permit tcp any host x.x.x.35 range 2000 2020

access-list INBOUND extended permit tcp any host x.x.x.35 range 50000 50020

The last two entries are passive port ranges I tried to plug into the software, but they didn't give me any luck.

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?

Silver

Re: Configuring an FTP Server behind Cisco

The problem with the ASA is that fixup is

enabled by default. Therefore, once you

allow FTP, both active/passive will be

allowed. In a NAT environment, you can not

stop Active only or passive only FTP. You

either have to allow both or deny both.

I don't know if you understand how Active

and Passive works. In Active mode, the ftp

server initiates a connection back to the

client sourcing from port 20 to client random

high-ports. This is a security risk to the

client. In Passive mode, the client

initiates a connection from it's high ports

to a server random high-ports. this will

put the server at risk because he has

to allow random high-ports on the server.

That's why in vsftpd or even Microsoft IIS,

you minimize the risk by narrowing the

port-ranges in Passive mode.

The workaround for all this is Secure Copy

Protocol (SCP) or SecureFTP. both of these

run on top of SSH which is very secure.

don't need to worry about FTP craps.

Cisco Employee

Re: Configuring an FTP Server behind Cisco

cisco24x7,

> The problem with the ASA is that fixup is

> enabled by default.

That's actually a positive thing, in my opinion, but if it bothers anyone, or violates the organization's security policy, it can obviously be disabled.

> Therefore, once you

> allow FTP, both active/passive will be

> allowed.

He already said that he wants to allow both active and passive so this shouldn't be a problem.

> In a NAT environment, you can not

> stop Active only or passive only FTP. You

> either have to allow both or deny both.

Not necessarily - you can do the following:

access-list inside_in deny tcp any any eq 20

access-list inside_in permit ip any any

access-group inside_in in interface inside

and this will prevent active FTP from working but passive FTP will still work.

This is not a problem for him, though, since he said that he wants both active and passive FTP. But anyone concerned about allowing active FTP can apply this simple workaround to kill active FTP.

Cheers,

Eloy Paris.-

Cisco Employee

Re: Configuring an FTP Server behind Cisco

Sorry, the deny above is obviously wrong. Should be:

access-list inside_in deny tcp any eq 20 any

(idea is obviously to prevent the FTP server to establish the outgoing connection from port 20 to the FTP client on the outside.)

New Member

Re: Configuring an FTP Server behind Cisco

I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose. I'll include my whole config below so that you can maybe explain where I need to make changes.

New Member

Re: Configuring an FTP Server behind Cisco

interface Vlan1

nameif inside

security-level 100

ip address 192.168.61.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 38.x.x.34 255.255.255.252

interface Ethernet0/0

switchport access vlan 2

ftp mode passive

dns server-group DefaultDNS

domain-name domainname1.com

access-list nonat extended permit ip any 172.16.0.0 255.240.0.0

access-list nonat extended permit ip any 192.168.0.0 255.255.0.0

access-list nonat extended permit ip any 10.0.0.0 255.0.0.0

access-list domainname2 extended permit ip 192.168.61.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list INBOUND extended permit tcp any host 38.x.x.35 eq 3389

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ftp-data

access-list INBOUND extended permit tcp any host 38.x.x.35 eq https

access-list INBOUND extended permit tcp any host 38.x.x.35 eq ssh

access-list INBOUND extended permit tcp any host 38.x.x.35 eq 990

access-list INBOUND extended permit tcp any host 38.x.x.35 range 2000 2020

access-list INBOUND extended permit tcp any host 38.x.x.35 range 50000 50020

access-list INBOUND extended permit icmp any any

access-list OUTBOUND extended deny tcp any any eq 6346

access-list OUTBOUND extended deny tcp any any eq 6347

access-list OUTBOUND extended deny udp any any eq 6346

access-list OUTBOUND extended deny udp any any eq 6347

access-list OUTBOUND extended permit ip any any

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.31.0.0 255.255.0.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.68.0 255.255.254.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.212.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 172.30.103.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list domainname1 extended permit ip 192.168.61.0 255.255.255.0 192.168.180.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255

static (inside,outside) 38.x.x.35 192.168.61.248 netmask 255.255.255.255

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 38.x.x.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

prompt hostname context

Cisco Employee

Re: Configuring an FTP Server behind Cisco

The configuration looks *almost* good:

static (inside,outside) 38.x.x.34 192.168.61.200 netmask 255.255.255.255

This line doesn't make sense - you are NATing 192.168.61.200 to the same IP address of the outside interface of the ASA. That shouldn't be but I don't see why it would affect the problem with FTP not working.

Is the FTP server at 192.168.61.248?

You should turn on logging to see what is going on.

Cheers,

Eloy Paris.-

Silver

Re: Configuring an FTP Server behind Cisco

Eloy Paris,

>Not necessarily - you can do the following:

>access-list inside_in deny tcp any eq 20 any

>access-list inside_in permit ip any any

>access-group inside_in in interface inside

>and this will prevent active FTP from >working but passive FTP will still work.

Is this something you've tested and verified

that it works or is it just an "educated"

guess on your part?

When you enable "fixup protocol ftp 21" or

ftp inspection, the ACL "access-list inside_in deny tcp any any eq 20" will become

useless when there is NAT.

However, what you stated above is true if

there is NO NAT involved. Again, the minute

you enable "fixup protocol ftp 21" that ACL will be bypassed.

An analogy to this is like the command

"sysopt connection permit-ipsec" will bypass

the ACL line applying to the outside interface regarding IPSec.

Cisco Employee

Re: Configuring an FTP Server behind Cisco

cisco24x7,

> Is this something you've tested and verified

> that it works or is it just an "educated"

> guess on your part?

It was an "educated" guess on my part, but what you said got me thinking and I'm embarrased to say that the guess wasn't so "educated" and you were right and I was wrong...

> When you enable "fixup protocol ftp 21" or

> ftp inspection, the ACL "access-list

> inside_in deny tcp any any eq 20"

> will become useless when there is NAT.

You are absolutely correct in that as soon as you enable fixup protocol ftp, the ACL becomes useless because as soon as the PIX sees in the FTP control session that a session for data is being created it will create a connection for that session. The session will contain all the endpoit information (port 20 of the server to port > 1024 of the client.) Because when a connection is already built in the PIX ACLs are not checked, then as you so eloquently pointed out, the "deny tcp eq 20 any" will not block the data connection.

My apologies for mudding the waters here; you were right.

The only part that I still don't follow is why you keep mentioning NAT. One thing is access control (handled by ACLs and protocol fixups) and another NAT. Why do you throw NAT into the mix? Even if we were using nat 0 (no NAT) or identity NAT, things should still work as we've discussed. Are you saying that things will work different when using nat 0 or identity NAT?

Cheers,

Eloy Paris.-

Silver

Re: Configuring an FTP Server behind Cisco

FTP_Server---(i)--Pix---(o)----FTP_client

FTP_Server= 192.168.1.10/24

Pix inside= 192.168.1.1/24

Pix outside= 1.1.1.1/24

FTP_client= 1.1.1.2/4

FTP_client has default gateway point to 1.1.1.1 which

is the Pix outside interface.

Let say that you're NOT doing any NAT on the Pix, just

simply route through the Pix:

no nat-control

Requirements:

Allow only Passive FTP through the firewall.

In this situation, it definitely works with this configuration:

no fixup protocol ftp 21

access-list External permit tcp any host 192.168.1.10 eq 21 log

access-list External permit tcp any host 192.168.1.10 gt 1024 log

access-list Internal deny tcp host 192.168.1.10 eq 20 any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

When you disable NAT on the Pix and just route through the Pix,

you can control the Active/Passive FTP through the firewall.

However, as soon as you enable "fixup protocol ftp 21", you will

will not be able to control Active/Passive FTP. As a matter

of fact, when you have NAT enable, if you disable fixup, FTP will

fail to work altogether.

Is that clear?

Cisco Employee

Re: Configuring an FTP Server behind Cisco

> In this situation, it definitely works with

> this configuration:

>

> no fixup protocol ftp 21

[...]

Of course, you are disabling the fixup but are manually poling holes in the access lists. This is for sure a valid workaround but is not secure because now the FTP server is not protected on ports > 1024.

> When you disable NAT on the Pix and just

> route through the Pix,

> you can control the Active/Passive FTP

> through the firewall.

I assert that you can do this with NAT enabled. The key is disabling the FTP fixup and manually poking holes in the firewall.

> However, as soon as you enable

> "fixup protocol ftp 21", you will

> will not be able to control

> Active/Passive FTP.

Correct, because then the fixup will automatically create the necessary connection, therefore bypassing any access list entries one may have created to control active/passive FTP.

> As a matter

> of fact, when you have NAT enable, if you

> disable fixup, FTP willfail to work

> altogether.

This is the part where I still don't follow - when you have NAT enabled or when you have NAT disabled, FTP will fail to work when you disable the fixup. You need the fixup for FTP to work, with NAT or no NAT, if you don't want to manually poke holes in the access lists. Why do you say that NAT has an influence on whether the fixup works?

Using the same question you posed to me earlier - did you test that disabling/enabling NAT has any effect on whether you can control Active/Passive FTP through the firewall, or it is just an educated guess? ;-)

Cheers,

Eloy Paris.-

Silver

Re: Configuring an FTP Server behind Cisco

>I assert that you can do this with NAT enabled. The key is disabling the FTP fixup and manually poking holes in the firewall.

This is NOT true. You do not have to take

my words for it. Just ask your colleagues

at Cisco Systems and they can explain it

to you better than I can.

>This is the part where I still don't follow - "when you have NAT enabled or when you have NAT disabled, FTP will fail to work when you disable the fixup. You need the fixup for FTP to work, with NAT or no NAT, if you don't want to manually poke holes in the access lists. Why do you say that NAT has an influence on whether the fixup works?

Using the same question you posed to me earlier - did you test that disabling/enabling NAT has any effect on whether you can control Active/Passive FTP through the firewall, or it is just an educated guess? ;-)"

I don't tell people things that I've not tried

and tested it myself. In other words, I

tested this myself and that's what I observed.

If you ask Cisco TAC, they will tell you the

same thing I am telling you.

Cisco Employee

Re: Configuring an FTP Server behind Cisco

> If you ask Cisco TAC, they will

> tell you the same thing I am telling you.

Just tell me what configuration is the one you are positive doesn't work when NAT is enabled and I'll test or ask. Is it the one you posted in a previous message, the one where you had "no nat-control"? If that is the case then what you are positive would not work is adding "nat-control" and the corresponding static for the FTP server but keeping the fixup disabled and the access lists as you had them, is that correct?

I'll actually post the config here to make sure we're on the same page:

nat-control

static (inside,outside) 1.1.1.3 192.168.1.10

no fixup protocol ftp 21

access-list External permit tcp any host 192.168.1.10 eq 21 log

access-list External permit tcp any host 192.168.1.10 gt 1024 log

access-list Internal deny tcp host 192.168.1.10 eq 20 any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

Is this the configuration you tested and found that doesn't work?

Thanks.

Silver

Re: Configuring an FTP Server behind Cisco

That's my configuration and that ACL is much

wide open than yours and it still does not work:

access-list External extended permit icmp any any log

access-list External extended permit tcp any any eq ftp log

access-list External extended permit ip any any log

[Expert@P1-NGx]# ftp 1.1.1.1

Connected to 1.1.1.1 (1.1.1.1).

220 (vsFTPd 1.2.0)

Name (1.1.1.1:root): admin

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode off.

ftp> hash

Hash mark printing on (1024 bytes/hash mark).

ftp> passive

Passive mode on.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

In other words, both Active/Passive FTP does

not work.

This is a KNOWN issue with Cisco Pix/ASA

firewalls. I am suprised you don't know this,

and I work for Checkpoint -:). Funny!!!!

Cisco Employee

Re: Configuring an FTP Server behind Cisco

Thanks cisco24x7, I'll give this a try.

Did that FTP session to 1.1.1.1 in the above post work, i.e. did the directory listing actually come? If so, did you get it to work because you put "no nat-control" in place?

> This is a KNOWN issue with Cisco

> Pix/ASA firewalls.

"Known" as in there is a Cisco bug ID for this, or just as in "everybody but eloy paris knows and lives with it"?

> I am suprised you don't know this,

> and I work for Checkpoint -:). Funny!!!!

Well, what can I say, one can't know everything ;-)

Seriously, though, I used to be in the RTP TAC in the security team. It's been almost three years since I left to do something else at Cisco. Never heard of this problem, and what you describe goes against what I know about the product, which is why I am so curious and eager to get to the bottom of this. Not saying I don't believe you, just that I am surprised the product behaves like that.

Cheers!

Silver

Re: Configuring an FTP Server behind Cisco

"no nat-control" just turn the Pix into the

router, that's all. No more, no less. Back

in the 6.3.x version, in order to go from

high to low, you have to explicitly

define "static (i,o) 192.168.1.0 192.168.1.0 netmask 255.255.255.0". In version 7.x, that

is not needed.

If you disable NAT and have "no fixup", you

can control Active/Passive FTP through the

firewall. However, the minute you enable

"fixup ftp", you will lose that control.

If you have NAT and that you have "no fixup

ftp", both Active and Passive FTP will not

work across the firewall. By NAT, I mean

this:

static (i,o) 1.1.1.10 192.168.1.10 net /32

I don't know how to make it any clearer.

You're not the first CCIE from Cisco who

were confused by this. I got the same

response from 3 different CCIE SE from Cisco.

When I asked them about this, they had

no idea what I am talking about. When

I showed them what I've observed, their

response was "interesting".

Cisco Employee

Re: Configuring an FTP Server behind Cisco

David,

Could you get in touch with me via my Cisco email address: elparis@cisco.com?

I've set this up in a lab and would like to share the results with you. We could do it here but I feel it's better to sort things out in private email and then summarize the findings for the benefit of other forum members since the discussion here in the forum is getting long, and personally I'd like to avoid hijacking Brian's thread any longer.

Thanks,

Eloy Paris.-

Silver

Re: Configuring an FTP Server behind Cisco

"Did that FTP session to 1.1.1.1 in the above post work, i.e. did the directory listing actually come? If so, did you get it to work because you put "no nat-control" in place? "

Did it work with Cisco Pix? NO.

Did it work with Checkpoint firewall? Yes

New Member

Re: Configuring an FTP Server behind Cisco

Hi... thanks for all of the replies, but I feel like my question has been taken over. Could anyone please dumb this conversation down for my issue and explain to me in plain english whether or not I'm going to be able to get active and passive working at the same time. It's still broken... please take a moment to help me.

Cisco Employee

Re: Configuring an FTP Server behind Cisco

You are absolutely right; we hijacked your thread. My apologies for that.

Please send the current config and tell us the private and public IP addresses of the FTP server and we'll take a look.

Cheers,

Eloy Paris.-

New Member

Re: Configuring an FTP Server behind Cisco

I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose.

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?

Cisco Employee

Re: Configuring an FTP Server behind Cisco

Did you remove the static command I mentioned yesterday didn't look right since it was using as the global IP the same IP of the outside interface?

What is the private (inside) and public (outside) IP of the FTP server?

I didn't see anything wrong other than the static but can you post your configuration again?

New Member

Re: Configuring an FTP Server behind Cisco

I think the issue with that was due to my changing all of the different external ip's to the same number... I'll post my config again when I have it. Thanks!

3941
Views
13
Helpful
44
Replies
CreatePlease to create content