Solved: PASV FTP - Pix or 1605R?

carlogrossman · ‎07-12-2006

I need to support a client connection to our FTP server that uses a PASV connection. We currently have a 1605 router with basic IP feature set, and it cannot support any dynamic ACLs.

It looks like my option is either to replace it with a PIX 501, and implement "fixup protocol ftp", or upgrade our 1605 router to support CBAC, in which I think I need IP/FW. The router has 4MB flash and 16MB DRAM, but I think I have a 8MB flash laying around.

There is no other traffic going across this connection except for this FTP transfer. Which is the better option? Upgrade our 1605 or buy a PIX?

Thanks in advance.

hemendoz · ‎07-18-2006

Two things -

1. You don't need "permit tcp host (outside IP address) host (local ftp server ip) eq ftp-data". The reason is because CBAC is inpecting ftp traffic and it will open the appropriate ftp-data port.

2. Passive ftp doesn't use port 20. Active ftp does.

Check out this link for a better explanation.

Active FTP vs. Passive FTP, a Definitive Explanation

http://slacksite.com/other/ftp.html

Hope that helps! If so, please rate.

Thanks

View solution in original post

hemendoz · ‎07-12-2006

Hello carlogrossman,

Both options would work. You are correct about needing an IP/FW image to support CBAC. Looks like for 12.3 code you'll need 8 MB Flash and 24 MB DRAM.

Both options seem relatively cheap. I guess it depends on which you prefer to implement.

Hope this helps! If so, please rate.

Thanks

carlogrossman · ‎07-12-2006

So, do they do EXACTLY the same thing? Or is one a little better than the other?

Do they both watch for an FTP session coming in on port 21, and look at the PASV command for the specific port number to open up? According to this article, http://www.securiteam.com/securitynews/5SQ0E000AC.html, the PIX firewall still has a slight vulnerability, and it says that IOS FW is not affected by it.

Thoughts on these statements?

hemendoz · ‎07-12-2006

Hello carlogrossman,

That article you referenced is from 2000 and points up to and including 4.2(5), 4.4(4), and 5.0(3). These are really old versions of code.

You asked "Do they both watch for an FTP session coming in on port 21, and look at the PASV command for the specific port number to open up?" Yes

How does Context-Based Access Control (CBAC) interact with Passive FTP?

http://www.cisco.com/en/US/products/ps6586/products_qanda_item09186a008009464d.shtml#qa5

fixup protocol - scroll down to ftp section

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379

Looks like there is a strict option for pix fixup. I don't recall seeing something like that for CBAC.

Hope this helps! If so, please rate.

Thanks

carlogrossman · ‎07-17-2006

I'm not sure what commands to use for CBAC. The article only shows debug commands. To implement this, would the command be..

ip inspect ftp-cmd

ip inspect ftp-tokens

(i'm just guessing by taking out the debug command).

Thanks in advance.

hemendoz · ‎07-17-2006

Hello carlogrossman,

To implement CBAC FTP inspection, you would need

ip inspect name inspection-name ftp

Here is a better link for configuration.

Configuring Context-Based Access Control

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

I only included the previous link on CBAC to answer your question about how CBAC works.

Hope this helps! If so, please rate.

Thanks

carlogrossman · ‎07-17-2006

Thank you so much for your help hemendoz. I will definitely give you a good rating.

Is the following config correct? Ethernet0 is on our private network, Ethernet1 is the outside network. The FTP client is on the outside LAN, and the FTP server is on the internal LAN.

ip inspect name courtsftp ftp timeout 3600

interface Ethernet0

ip address (local IP address)

interface Ethernet1

ip address (outside IP address)

ip access-group ibfilters in

ip inspect courtsftp in

ip access-list extended ibfilters

permit tcp host (outside IP address) host (local ftp server ip) eq ftp

permit tcp host (outside IP address) host (local ftp server ip) eq ftp-data

hemendoz · ‎07-18-2006

Two things -

1. You don't need "permit tcp host (outside IP address) host (local ftp server ip) eq ftp-data". The reason is because CBAC is inpecting ftp traffic and it will open the appropriate ftp-data port.

2. Passive ftp doesn't use port 20. Active ftp does.

Check out this link for a better explanation.

Active FTP vs. Passive FTP, a Definitive Explanation

http://slacksite.com/other/ftp.html

Hope that helps! If so, please rate.

Thanks

hemendoz · ‎07-18-2006

Also forgot to mention that if your configuration is left as is, then only ftp access will be allowed. Traffic that originates on the "inside" would not be permitted back in because of you ibfilters acl. You'd probably want to inspect traffic both ways to dynamically punch holes in the router. I would create 2 different inspect statements like FW-IN and FW-OUT.

Hope that helps! If so, please rate.

Thanks