09-19-2010 12:42 AM - edited 03-11-2019 11:42 AM
Hello Security Expert Team,
I am using the Cisco ASA 5510/ver 8.2(1) and I am doing some the basic deep inspection for FTP traffic config:
begin:
!
regex REG_C26XX "^c26.*"
regex REG_C28XX "^c28.*"
!
class-map FTP
match port tcp eq ftp
!
class-map type regex match-any deny_files
match regex RE_C26XX
match regex RE_C28XX
!
class-map type inspect ftp match-all deny_commands
match request-command site dele rmd
!
policy-map type inspect ftp ftp_inspect
parameters
mask-banner
mask-syst-reply
match filename regex class deny_files
reset
class deny_commands
reset
!
policy-map outside
class FTP
inspect ftp strict ftp_inspect
!
service-policy outside interface outside
!
test regex c2600.bin ^c26.*
!
end
And I did some test in this case:
1. I have Connected to FTP Server
2. I have got successfully the c2600.bin file
3. show service-policy interface outside inspect ftp ( I didn't see drop/reset packets here)
I have double-checked running configuration and I did not know why ? Could you please help me to find out this issue in thic case?
Thank you very much,
Tran
09-19-2010 12:51 AM
Hello,
Seems like you matched wrong REGEX list.
regex REG_C26XX "^c26.*"
regex REG_C28XX "^c28.*"
!
class-map type regex match-any deny_files
match regex RE_C26XX
match regex RE_C28XX
You are missing the character "G" in the match statements. Can you fix that and see if that helps?
Regards,
NT
09-19-2010 12:58 AM
The wrong Cut & Paste in this discussion but the running-configuration in the ASA is correct and that the reson why I must ask expert team Thanks
09-19-2010 01:07 AM
Hello,
Can you try the following:
class-map type regex match-any deny_files
match filename regex REG_C26XX
match filename regex REG_C28XX
Hope this helps.
Regards,
NT
09-19-2010 01:28 AM
Hello,
I did it in this case before by created access-list with range port 21 22 but I am still got the same issue. You can try
regards,
09-19-2010 01:29 AM
Hello,
I did it in this case before by created access-list with range port 20 21 but I am still got the same issue. You can try
regards,
09-19-2010 01:35 AM
Hi,
What kind of FTP connection are you testing using? Active or Passive? If it's Active then access-list on pirt 20 makes sense. But if you are trying using passive FTP, the data connection will be on a random negotiated port. That is why i had suggested an access-list with all TCP traffic to the FTP server without an ports as below:
access-list FTP match tcp any host a.b.c.d
class-map FTP
no match port tcp eq ftp
match access-list FTP
Please try this out and see if it works. Also, please paste the output of show service-policy.
Regards,
Prapanch
09-19-2010 02:47 AM
Hello Prapanch,
Client-------------(out)(ASA)(dmz)-------------FTP_Server
FTP_Srv (support both Act/Pass Mode):
For Active Mode:
Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
<---------DATA OK Port:2030-------->
DATA Port: 2030 <-----------Data Channel--------------- DATA PORT:20
For Passive Mode:
Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
<---------Passive OK Port:2020--------
DATA Port:2030 -----------Data Channel---------------> DATA PORT:2020
As my understanding, The ASA is stateful inspection/Multi-packets technology and I think that the ASA is enough smart to inspect sub-connection and As your mentioned I must create access-list to classify once again for Data Channel in the both Active/Passive mode in this case. It seem the best answer , and I will do it tomorrow and give the result to you. Thank you very much
Regards,
Tran
09-19-2010 07:16 PM
Hello Prapanch,
Client-------------(out)(ASA)(dmz)-------------FTP_Server
FTP_Srv (support both Act/Pass Mode):
For Active Mode:
Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
<---------DATA OK Port:2030-------->
DATA Port: 2030 <-----------Data Channel--------------- DATA PORT:20
For Passive Mode:
Client (>1024 Port)-----------Control Channel----------->FTP_Srv (Port:21)
<---------Passive OK Port:2020--------
DATA Port:2030 -----------Data Channel---------------> DATA PORT:2020
As my understanding, The ASA is stateful inspection/Multi-packets technology and I think that the ASA is enough smart to inspect sub-connection
and As your mentioned I must create access-list to classify once again for Data Channel in the both Active/Passive mode in this case.
access-list FTP match tcp any host a.b.c.d
class-map FTP
no match port tcp eq ftp
match access-list FTP
As your mentioned, I did it:
access-list FTP permit tcp any any (for test deep inspection in this case)
class-map FTP
no match port tcp eq ftp
match access-list FTP
!
It didn't work correctly
ASA# sh service-policy interface outside ins ftp
Interface outside:
Service-policy: outside
Class-map: http_from_outside
Class-map: FTP
Inspect: ftp strict ftp_inspect, packet 316, drop 76, reset-drop 0
Retx cmd in cmd mode drop 64
Cmd in reply mode drop 12
mask-banner enabled
mask-syst-reply enabled
match filename regex class deny_files --------------> didn't see packets
reset log, packet 0
class deny_commands
reset, packet 0
Class-map: smtp_server
ASA#
regards,
Tran
09-20-2010 05:48 AM
Hey Tran,
Just wanted to confirm. Have you tested the filename c2600.bin agains the regex you have configured? Also, please try testing the filename c2600 against the regex configured. Just wanna ocnfirm we have the regex configured right.
Also, can you please get the captures of the entire FTP session in a .pcap format from the ASA? Would like to see the exact parameters being sent by the client. For configuring captures, pelase refer the below document:
https://supportforums.cisco.com/docs/DOC-1222
Thanks and Regards,
Prapanch
09-19-2010 01:12 AM
Hey,
The reason could be because of the below config:
class-map FTP
match port tcp eq ftp
policy-map outside
class FTP
inspect ftp strict ftp_inspect
So in the above case, we are matching traffic on port TCP/21 (due to the command match port tcp eq ftp). All the filenames and commands will i guess be exchanged in the "data connection" and not in the "control connection" which is TCP/21. The port for data connection depends on what type of FTP we are using, that is, active or passive. So the best option is to apply an access-list to the FTP server.
Try changing the config to something like below:
Assuming the FTP server's IP address is a.b.c.d
access-list FTP match tcp any host a.b.c.d
class-map FTP
no match port tcp eq ftp
match access-list FTP
Try this out and let me know how it goes!!
Regards,
Prapanch
09-19-2010 01:24 AM
Hello,
The keyword "filename" didn't see in the syntax: class-map type regex match-any deny_files
Regards,
Tran
09-19-2010 12:56 AM
Here is the configuration guide to match FTP specific filename for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1328745
Hope that helps.
11-08-2010 08:51 AM
Can you guys tell me what is C26, C28. I am not able to find anything on the web with that reference. Is it something to do with file names??
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: