Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

FTP gets Blocked by Zone-Based Firewall

Hello everyone,

I have a problem with an IOS firewall. The thing is that I'm using an FTP client to collect data from the wan (it's on passive mode). The session gets established, through port 21 (wich is on my access-list). I cannot get the transfer completed because FTP opens a random port for this part, from 1024 to 65535.

I could add a new line on my access-list permiting tcp any any range 1024 65535, but my client won't accept this. It's a quite fair decision, since I'd be opening almost all the ports.

Is there a solution for this problem? So my firewall can detect the new session.

I have already tried to inspect ftp as a global policy, but it didn't work.

Thanks in advance fot the help.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

FTP gets Blocked by Zone-Based Firewall

Instead of using ACL, use the match protocol command. This will allow the dynamic ports that need to opened for the FTP session.

Regards,

Juan Lombana

Please rate helpful posts.

5 REPLIES
Bronze

FTP gets Blocked by Zone-Based Firewall

Instead of using ACL, use the match protocol command. This will allow the dynamic ports that need to opened for the FTP session.

Regards,

Juan Lombana

Please rate helpful posts.

Hall of Fame Super Silver

Re: FTP gets Blocked by Zone-Based Firewall

It should work if you have an ip inspect rule on the LAN interface inbound direction. So, in addition to anything else required, something like:

ip inspect name INFIRE ftp

interface Ethernet0/0

  ip inspect INFIRE in    ! firewall inspection for inbound traffic.

Source.

You can also use the wizard in CCP to help with IOS ZBFW setup. It cna be daunting from the CLI if you don't use it often.

Re: FTP gets Blocked by Zone-Based Firewall

Hello Bruno,

as Juan Lombana said you need to use a match protocol on the class-map config instead of a match access-group,

Okey, the server is on passive mode right? Behind which zone is the server?

Share the configuration

Regards,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Re: FTP gets Blocked by Zone-Based Firewall

Hello guys, it's been too long since I asked this and I'm sorry for not replying your kind answers.

The problem has been solved 2 weeks ago. The thing is that I had to match ftp on an exclusive class-map and put it on top of the policy-map. When I did this, it worked just fine.

What I had been doing (such a shame) is matching ftp along with icmp, tcp and udp, all in one class-map.

Thanks for the answers.

Bruno

Re: FTP gets Blocked by Zone-Based Firewall

Hello,

Glad to know you have it up and running, please mark the question as answered so future users can learn from this,

For Networking Posts check my website at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
352
Views
0
Helpful
5
Replies
CreatePlease to create content