07-12-2006 01:42 PM - edited 02-21-2020 01:02 AM
I need to support a client connection to our FTP server that uses a PASV connection. We currently have a 1605 router with basic IP feature set, and it cannot support any dynamic ACLs.
It looks like my option is either to replace it with a PIX 501, and implement "fixup protocol ftp", or upgrade our 1605 router to support CBAC, in which I think I need IP/FW. The router has 4MB flash and 16MB DRAM, but I think I have a 8MB flash laying around.
There is no other traffic going across this connection except for this FTP transfer. Which is the better option? Upgrade our 1605 or buy a PIX?
Thanks in advance.
Solved! Go to Solution.
07-18-2006 08:03 PM
Two things -
1. You don't need "permit tcp host (outside IP address) host (local ftp server ip) eq ftp-data". The reason is because CBAC is inpecting ftp traffic and it will open the appropriate ftp-data port.
2. Passive ftp doesn't use port 20. Active ftp does.
Check out this link for a better explanation.
Active FTP vs. Passive FTP, a Definitive Explanation
http://slacksite.com/other/ftp.html
Hope that helps! If so, please rate.
Thanks
07-12-2006 02:18 PM
Hello carlogrossman,
Both options would work. You are correct about needing an IP/FW image to support CBAC. Looks like for 12.3 code you'll need 8 MB Flash and 24 MB DRAM.
Both options seem relatively cheap. I guess it depends on which you prefer to implement.
Hope this helps! If so, please rate.
Thanks
07-12-2006 02:43 PM
So, do they do EXACTLY the same thing? Or is one a little better than the other?
Do they both watch for an FTP session coming in on port 21, and look at the PASV command for the specific port number to open up? According to this article, http://www.securiteam.com/securitynews/5SQ0E000AC.html, the PIX firewall still has a slight vulnerability, and it says that IOS FW is not affected by it.
Thoughts on these statements?
07-12-2006 03:06 PM
Hello carlogrossman,
That article you referenced is from 2000 and points up to and including 4.2(5), 4.4(4), and 5.0(3). These are really old versions of code.
You asked "Do they both watch for an FTP session coming in on port 21, and look at the PASV command for the specific port number to open up?" Yes
How does Context-Based Access Control (CBAC) interact with Passive FTP?
http://www.cisco.com/en/US/products/ps6586/products_qanda_item09186a008009464d.shtml#qa5
fixup protocol - scroll down to ftp section
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379
Looks like there is a strict option for pix fixup. I don't recall seeing something like that for CBAC.
Hope this helps! If so, please rate.
Thanks
07-17-2006 07:24 AM
I'm not sure what commands to use for CBAC. The article only shows debug commands. To implement this, would the command be..
ip inspect ftp-cmd
ip inspect ftp-tokens
(i'm just guessing by taking out the debug command).
Thanks in advance.
07-17-2006 07:39 AM
Hello carlogrossman,
To implement CBAC FTP inspection, you would need
ip inspect name inspection-name ftp
Here is a better link for configuration.
Configuring Context-Based Access Control
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm
I only included the previous link on CBAC to answer your question about how CBAC works.
Hope this helps! If so, please rate.
Thanks
07-17-2006 09:55 AM
Thank you so much for your help hemendoz. I will definitely give you a good rating.
Is the following config correct? Ethernet0 is on our private network, Ethernet1 is the outside network. The FTP client is on the outside LAN, and the FTP server is on the internal LAN.
ip inspect name courtsftp ftp timeout 3600
interface Ethernet0
ip address (local IP address)
interface Ethernet1
ip address (outside IP address)
ip access-group ibfilters in
ip inspect courtsftp in
ip access-list extended ibfilters
permit tcp host (outside IP address) host (local ftp server ip) eq ftp
permit tcp host (outside IP address) host (local ftp server ip) eq ftp-data
07-18-2006 08:03 PM
Two things -
1. You don't need "permit tcp host (outside IP address) host (local ftp server ip) eq ftp-data". The reason is because CBAC is inpecting ftp traffic and it will open the appropriate ftp-data port.
2. Passive ftp doesn't use port 20. Active ftp does.
Check out this link for a better explanation.
Active FTP vs. Passive FTP, a Definitive Explanation
http://slacksite.com/other/ftp.html
Hope that helps! If so, please rate.
Thanks
07-18-2006 09:07 PM
Also forgot to mention that if your configuration is left as is, then only ftp access will be allowed. Traffic that originates on the "inside" would not be permitted back in because of you ibfilters acl. You'd probably want to inspect traffic both ways to dynamically punch holes in the router. I would create 2 different inspect statements like FW-IN and FW-OUT.
Hope that helps! If so, please rate.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide