03-04-2012 09:50 PM - edited 03-04-2019 03:32 PM
Dear all,
I need to setup FTP server and FTP client for both end (165.202.148.11 & 172.20.14.7). routing is fine in both end and I found that ACL make me fail.
Situation
1) When I apply ACL in both Router A and Router B. All FTP fail (165.202.148.11 & 172.20.14.7 can't ftp each other)
2) when I apply ACL in RouterA only, 165.202.148.126 can ftp to 172.20.14.7
3) when I apply ACL in RouterB only, 172.20.14.7 can ftp to 165.202.148.126
RouterA
interface Vlan145
ip address 172.20.14.126 255.255.255.0
ip access-group DRRMS_To_GM8 out
ip access-list extended DRRMS_To_GM8
permit tcp host 165.202.148.11 host 172.20.14.7 range ftp-data ftp
permit icmp host 165.202.148.11 host 172.20.14.7
deny ip any host 172.20.14.7
permit ip any any
****************************************
RouterB
interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip access-group GM8_To_DRRMS out
ip access-list extended GM8_To_DRRMS
permit tcp host 172.20.14.7 host 165.202.148.11 range ftp-data ftp
permit icmp host 172.20.14.7 host 165.202.148.11
deny ip any host 165.202.148.11
permit ip any any
Solved! Go to Solution.
03-05-2012 10:02 PM
So if we consider this:
172.20.14.7 - Switch A ---- Switch B 165.202.148.11
Then this flow:
Step 1, 172.20.14.7 initial session (souce port 1024, des port 5900) vnc to 165.202.148.11------hit the ACL outbound (permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900) ON SWITCH B
And this flow:
165.202.148.11 reply with (source port 5900, des port 1024) to 172.20.14.7 -------------not hit the ACL outbound on switch B, BUT HIT ACL OUTBOUND ON SWITCH A - and hit ACL 6 or 8. So ACL 6 and 8 - are for return traffic from SWITCH B, and ACL 1 and 3 are to the intial traffic to Switch B.
Same is for switch A.
Hope this helps,
Nik
03-04-2012 10:45 PM
Hello,
Enabling ACL on one side - you permit FTP from this side to remote one. But you are blocking reply from this side FTP server to remote client.
Say you have ACL enabled on A.
If now A ftp to be - it will send traffic to FTP 172.20.14.7 port 21 e.g. - it will be allowed by ACL. If then B will send traffic from 172.20.14.7 to 165.202.148.11 on port 21- that will still be allowed as your ACL is in Out direction so Incoming traffic is not filtered. But then 165.202.148.11 will answer to 172.20.14.7 back - this traffic will be blocked as you are not permitting it in ACL. That traffic will go to 172.20.14.7 destinned to random port as side B intiated FTP on random port.
You need to add this line to ACL on both sides.
E.G. on A:
permit tcp host 165.202.148.11 range ftp-data ftp host 172.20.14.7 - by this you will allow traffic from ftp server A to random port intitated FTP on B.
Similar ACL should be applied to B side.
Hope this helps,
Nik
03-05-2012 02:27 AM
Dear Nik,
Thanks for your advise. By the way, can I simply use below new ACL to replace previous one?
Previous
ip access-list extended DRRMS_To_GM8
permit tcp host 165.202.148.11 host 172.20.14.7 range ftp-data ftp
permit tcp host 165.202.148.11 range ftp-data ftp host 172.20.14.7
New
ip access-list extended DRRMS_To_GM8
permit ip host 165.202.148.11 host 172.20.14.7
03-05-2012 02:42 AM
Sure,
That should also do what is needed.
Nik
03-05-2012 02:57 AM
Dear Nik,
Does my concept in phase 3 is wrong ? May I ask you the TCP flow?
1) First 165.202.148.11 [source random port (e.g. 1024), des port 21] send traffic to des ip 172.20.14.7
2) When 172.20.14.7 received packet, it will reply with (souce port 21, des port 1024) to 165.202.148.11
3) Then 172.20.14.7 initiate a new connection (source port 1024, des 20 ) to 165.202.148.1. And that's why
165.202.148.1 reply with ( source port 20, des port 1024 ) back to 172.20.14.7. Right ?
03-05-2012 05:18 AM
Basically FTP can work in two modes active or passive.
In active mode client opens two session to server on ports 20 and 21 - bsically clients opens one on 21 for commands control and server initiate another one from it's port 20 for transfer. It will look like"
1) First 165.202.148.11 [source random port (e.g. 1024), des port 21] send traffic to des ip 172.20.14.7
2) When 172.20.14.7 received packet, it will reply with (souce port 21, des port 1024) to 165.202.148.11
3) Then 172.20.14.7 initiate a new connection (source port 20, des 1024 ) to 165.202.148.1.
SO both ports 20 and 21 are opened from server side.
In Passive mode server is not initating the transfer connection but client does it and it looks like:
1) First 165.202.148.11 [source random port (e.g. 1024), des port 21] send traffic to des ip 172.20.14.7
2) When 172.20.14.7 received packet, it will reply with (souce port 21, des port 1024) to 165.202.148.11
3) Then 165.202.148.11 initiate a new connection (source port RANDOM, des RANDOM (provided by server in step 2) ) to 172.20.14.7.
Nik
03-05-2012 05:26 PM
Dear Nik,
Apart from FTP function, I also add VNC server that can be work for each other.
Router B ( e.g. VNC server 165.202.148.11 )
interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip access-group GM8_To_DRRMS out
ip access-list extended GM8_To_DRRMS
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5800---ACL1
permit tcp host 172.20.14.7 eq 5800 host 165.202.148.11---ACL2 ---why need to add ?
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900---ACL3
permit tcp host 172.20.14.7 eq 5900 host 165.202.148.11---ACL4 ---why need to add ?
I expect 172.20.14.7 directly initiate a VNC session to 165.202.148.11, that's why need to add ACL 1 & 3.
Howerver, it is fail, I need to add ACL 2 & 4 to make it success. Why?
*********************************************************
Router A (e.g. VNC server is 172.20.14.7)
interface Vlan145
ip address 172.20.14.126 255.255.255.0
ip access-group DRRMS_To_GM8 out
ip access-list extended DRRMS_To_GM8
permit tcp host 165.202.148.11 host 172.20.14.7 eq 5800 ---ACL5
permit tcp host 165.202.148.11 eq 5800 host 172.20.14.7----ACL6 ---why need to add ?
permit tcp host 165.202.148.11 host 172.20.14.7 eq 5900----ACL7
permit tcp host 165.202.148.11 eq 5900 host 172.20.14.7----ACL8 ---why need to add ?
I expect 165.202.148.11 directly initiate a VNC session to 172.20.14.7, that's why need to add ACL 5 & 7.
Howerver, it is fail, I need to add ACL 6 & 8 to make it success. Why?
03-05-2012 06:12 PM
Hello,
as far as I see you need those records for same reason as for FTP. You first of all need to understand what ip access-group GM8_To_DRRMS out means on SVI.
SVI out direction means when traffic flowing in direction out of the physical port which belong to SVI VLAN. If you have two ports withint same VLAN - one of which is Incoming oirt for LAN and other port for WAN - then there will be 2 different OUT direction for that SVI. One OUT of switch to LAN and another out of Switch to WAN.
I'm not sure how your ports are configured thus can't elaborate here - but I guess you are just miss interpreting the VLAN out direction.
If it is possible - it would be helpfull if you draw the diagram and provide config for the ports on the way.
From what I see ACK2 and ACK 4 above are just needed "165.202.148.11 directly initiate a VNC session to 172.20.14.7," and they match not the traffic from 165.202.148.11 to 172.20.14.7. It seems that your SVI is for Local LAN and out direction for it will be poinitng to LAN and not to WAN.
Please double check.
Nik
03-05-2012 07:06 PM
Dear Nik,
Attach is my digram for your reference.
03-05-2012 08:05 PM
So your diagram explains the thing:
Looking at config again:
interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip access-group GM8_To_DRRMS out
ip access-list extended GM8_To_DRRMS
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5800---ACL1
permit tcp host 172.20.14.7 eq 5800 host 165.202.148.11---ACL2 ---why need to add ?
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900---ACL3
permit tcp host 172.20.14.7 eq 5900 host 165.202.148.11---ACL4 ---why need to add ?
ACL 2 and 4 needed because those allowing return traffic from VNC server to pass to 165.202.148.11 in the example above. Return traffic is indeed
172.20.14.7 eq 5800 host 165.202.148.11 RANDOM port which intitated the connection. Without those line return traffic will be examined by the last default ACL line - which is "deny any any".
Similar for the config on the other side switch.
Hope this is clear.
Nik
03-05-2012 09:36 PM
Dear Nik,
Sorry, can I clarify one think, my understanding is (Assume 172.20.14.7 is VNC client, 165.202.148.11 is VNC server)
Step 1, 172.20.14.7 initial session (souce port 1024, des port 5900) vnc to 165.202.148.11------hit the ACL outbound (permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900)
Step 2, 165.202.148.11 reply with (source port 5900, des port 1024) to 172.20.14.7 -------------not hit the ACL outbound
Step 3, session completed
If ACL2 & ACL4 is needed, is it mean that after step2, 165.202.148.11 will proactively intitiate new session with (source port 1024, des 5900) to 172.20.14.7.
After 172.20.14.7 received and reply with ( source port 5900, des port 1024 ) to 165.202.148.11. That's why ACL2 and ACL4 is needed
03-05-2012 10:02 PM
So if we consider this:
172.20.14.7 - Switch A ---- Switch B 165.202.148.11
Then this flow:
Step 1, 172.20.14.7 initial session (souce port 1024, des port 5900) vnc to 165.202.148.11------hit the ACL outbound (permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900) ON SWITCH B
And this flow:
165.202.148.11 reply with (source port 5900, des port 1024) to 172.20.14.7 -------------not hit the ACL outbound on switch B, BUT HIT ACL OUTBOUND ON SWITCH A - and hit ACL 6 or 8. So ACL 6 and 8 - are for return traffic from SWITCH B, and ACL 1 and 3 are to the intial traffic to Switch B.
Same is for switch A.
Hope this helps,
Nik
03-06-2012 05:29 AM
Dear Nik,
May I ask one more question. My objective is to limit 192.168.1.0/24 to access 165.202.148.100
If two sets of ip address configured in the same interface with applied ACL. just like below configration. Is it work?
interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip address 192.168.1.126 255.255.255.0 secondary
ip access-group GM8_To_DRRMS out
ip access-list extended GM8_To_DRRMS
deny ip any any
or
interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip address 192.168.1.126 255.255.255.0 secondary
ip access-group GM8_To_DRRMS in
ip access-list extended GM8_To_DRRMS
deny ip any any
03-06-2012 07:16 AM
I would avoid deny any any ACL in your config - it will block everything goin Out or In on that VLAN. You must explicitely set up source and destination ip address and put that on interface. I guess it is better to split these subnets into two different SVIs if your router support it - would be much logical and clear from ACL perspective.
Nik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide