Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

6509 FWSM and FTP outbound Passive

I am trying to configure or find out why ftp passive outbound is not working, what can I check to verify my configuration? I am tryning to provide a subnet ftp access and passive ftp on a fwsm.

thanks,

16 REPLIES
Silver

Re: 6509 FWSM and FTP outbound Passive

If you are running newer code, do you have a command "inspect ftp" or if it is older do you have "fixup ftp" enabled? I assume you are allowing inside host to outside host eq 21? Those should be the 2 key steps.

-Eric

Please remember to rate all helpful posts.

New Member

Re: 6509 FWSM and FTP outbound Passive

I am running 2.3(4) code on my FWSM, fixup ftp is enabled. I want to be able to allow any and all host out bound to the internet for ftp active and passive ftp.

I permited the a subnet of systems to be able to ftp out but when the passive session occurs it fails, any ideas. here is the the acl and the object group below.

object-group service INET-ACCESS-UDP udp

port-object eq ntp

port-object eq www

port-object eq 4043

port-object eq 5700

port-object eq 7896

port-object range 1024 65535

port-object eq 21

port-object range 1023 65535

access-list INSIDE extended permit udp 10.241.136.0 255.255.255.0 any object-group INET-ACCESS-UDP

Silver

Re: 6509 FWSM and FTP outbound Passive

Ok, there's the issue. FTP is actually TCP, so if you add a rule allowing tcp any any eq ftp you should be ok.

-Eric

Please remember to rate all helpful posts.

New Member

Re: 6509 FWSM and FTP outbound Passive

So I can add the following

access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 eq ftp any?

Silver

Re: 6509 FWSM and FTP outbound Passive

Exactly. give it a shot and let us know.

-Eric

New Member

Re: 6509 FWSM and FTP outbound Passive

Eric,

No luck, I tried to ftp to a site and that works but when I try to perform any command like get, dir or ls I receive a message that says the command is not allowed and the sessions dies.

Gerry

New Member

Re: 6509 FWSM and FTP outbound Passive

hi guys,

I think there is a mistake in the access-list

access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 eq ftp any?

it should be:

access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 any eq ftp?

very easy to overlook, must admit :)

it will then work I am sure, if ftp inspection is configured it will create a dynamic opening in this inbound access list for the data channel from the client to server (in PFTP)

Let us know if it works

Silver

Re: 6509 FWSM and FTP outbound Passive

Rafal is exactly correct. Sorry I overlooked that mixup yesterday.

- Eric

New Member

Re: 6509 FWSM and FTP outbound Passive

Sorry but when I enterd the acl in the forum I actualy have it correct in the fwsm and it still does not work

access-list INSIDE extended permit tcp 10.241.136.0 255.255.255.0 any eq ftp

any ideas?

Gerry

New Member

Re: 6509 FWSM and FTP outbound Passive

Here is the INSIDE ACL

access-list INSIDE extended permit icmp any any object-group ICMP

access-list INSIDE extended permit ip object-group BACKEND-ACCESS-TO-PUB object-group PUB-SEGMENT

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group SMTP-BRIDGEHEADS eq smtp

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group PUB-DNS-FORWARD eq domain

access-list INSIDE extended permit udp 10.0.0.0 255.0.0.0 object-group PUB-DNS-FORWARD eq domain

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 10.0.32.0 255.255.252.0 object-group WEB-SERVICES

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq tftp

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 139.61.142.0 255.255.255.0 eq tftp

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq snmptrap

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq syslog

access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.13.0 255.255.255.0 eq telnet

access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.13.0 255.255.255.0 eq ssh

access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.36.0 255.255.252.0 eq 3389

access-list INSIDE extended permit tcp 10.0.40.0 255.255.255.0 10.0.36.0 255.255.252.0 object-group SAN-IN

access-list INSIDE extended permit tcp 10.0.20.0 255.255.252.0 any eq 4043

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 10.0.38.0 255.255.255.0 eq smtp

access-list INSIDE extended permit udp 10.0.22.0 255.255.255.0 139.61.142.0 255.255.255.0 eq snmptrap

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group AUTH-SERVERS eq tacacs

access-list INSIDE extended permit udp 10.0.0.0 255.0.0.0 any object-group INET-ACCESS-UDP

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INET-ACCESS

access-list INSIDE extended permit ip 10.1.0.0 255.255.0.0 any

access-list INSIDE extended permit tcp any 10.0.50.0 255.255.255.0 object-group ACCESS-TO-SECDMZ

access-list INSIDE extended permit tcp host 10.0.21.26 any

access-list INSIDE extended permit tcp any 10.0.40.0 255.255.255.0 object-group INET-ACCESS

access-list INSIDE extended permit udp 10.245.0.0 255.255.0.0 139.61.142.0 255.255.255.0 eq tftp

access-list INSIDE extended permit tcp 10.241.136.0 255.255.255.0 any eq ftp

New Member

Re: 6509 FWSM and FTP outbound Passive

To me everything is OK. what symptomps are you getting exactly? in one of the posts you said that you can connect but the commands are denied. That looks more like a server problem. if there was a problem with the firewall, you would be able to connect and execute the commands but you would not see the results if the data connection could not be established. For PFTP you would not even need fixup were it not for the INSIDE access list as both control and data connections are initiated by the client from the inside. (you could event take it off for a while to test it.

Is ftp fixup definately configured on the default port 21?

New Member

Re: 6509 FWSM and FTP outbound Passive

This is the message I receive when trying to ftp to ftp.cisco.com

550 Permission denied: PORT not allowed here

150 Opening ASCII mode data connection for file list

Gerry

New Member

Re: 6509 FWSM and FTP outbound Passive

something is very strange here

1. the server tells you that you are not allowed to use the PORT command, which you would not use in the passive mode anyway.

2. why wouldn't you be able to use LIST command in the public folder of ciso.ftp? No idea

3. as you can see the data connection is established. you can definately say that your firewall works fine is NOT a problem

It seems that for some reason you actually switch to active mode which uses PORT command to tell the server where to establish data connection to. I tried switching to active mode while connected and get the same error.

Make sure you are using PFTP and not trying to execute PORT command which cisco.ftp does not like :)

Rafal

New Member

Re: 6509 FWSM and FTP outbound Passive

When I try to ftp I just try executing ls, get or dir and I receive the message I sent you.

New Member

Re: 6509 FWSM and FTP outbound Passive

hi!

have you managed to solve your problem. what was it?

Bronze

Re: 6509 FWSM and FTP outbound Passive

In order to use cisco ftp site, you have to use PASSIVE mode - everyone gets a 'PORT command not allowed here' when using ACTIVE mode ftp.

However, when going to another site (ftp.sun.com) everything is working fine using ACTIVE mode ftp.

The default Microsoft windows ftp client doesn't support passive ftp - try putting ftp://ftp.cisco.com in your browser (mozilla or microsoft) and if you start seeing files, it's because these both support passive mode ftp.

--Jason

Rate if this helps.

874
Views
0
Helpful
16
Replies
CreatePlease to create content