Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1473
Views
0
Helpful
5
Replies

FTP gets Blocked by Zone-Based Firewall

Go to solution
Bruno Mauricio Soria Iturricha
Level 1
Level 1

‎07-17-2013 08:22 AM - edited ‎03-11-2019 07:13 PM

Hello everyone,

I have a problem with an IOS firewall. The thing is that I'm using an FTP client to collect data from the wan (it's on passive mode). The session gets established, through port 21 (wich is on my access-list). I cannot get the transfer completed because FTP opens a random port for this part, from 1024 to 65535.

I could add a new line on my access-list permiting tcp any any range 1024 65535, but my client won't accept this. It's a quite fair decision, since I'd be opening almost all the ports.

Is there a solution for this problem? So my firewall can detect the new session.

I have already tried to inspect ftp as a global policy, but it didn't work.

Thanks in advance fot the help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
julomban
Level 3
Level 3

‎07-17-2013 10:34 AM

Instead of using ACL, use the match protocol command. This will allow the dynamic ports that need to opened for the FTP session.

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
julomban
Level 3
Level 3

‎07-17-2013 10:34 AM

Instead of using ACL, use the match protocol command. This will allow the dynamic ports that need to opened for the FTP session.

Regards,

Juan Lombana

Please rate helpful posts.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-17-2013 10:37 AM

It should work if you have an ip inspect rule on the LAN interface inbound direction. So, in addition to anything else required, something like:

ip inspect name INFIRE ftp

interface Ethernet0/0

  ip inspect INFIRE in    ! firewall inspection for inbound traffic.

Source.

You can also use the wizard in CCP to help with IOS ZBFW setup. It cna be daunting from the CLI if you don't use it often.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-17-2013 10:47 AM

Hello Bruno,

as Juan Lombana said you need to use a match protocol on the class-map config instead of a match access-group,

Okey, the server is on passive mode right? Behind which zone is the server?

Share the configuration

Regards,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Bruno Mauricio Soria Iturricha
Level 1
Level 1

‎07-25-2013 02:28 PM

Hello guys, it's been too long since I asked this and I'm sorry for not replying your kind answers.

The problem has been solved 2 weeks ago. The thing is that I had to match ftp on an exclusive class-map and put it on top of the policy-map. When I did this, it worked just fine.

What I had been doing (such a shame) is matching ftp along with icmp, tcp and udp, all in one class-map.

Thanks for the answers.

Bruno

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Bruno Mauricio Soria Iturricha

‎07-26-2013 12:08 PM

Hello,

Glad to know you have it up and running, please mark the question as answered so future users can learn from this,

For Networking Posts check my website at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card