Solved: Re: ACL ftp question

acbennyma · ‎03-04-2012

Dear all,

I need to setup FTP server and FTP client for both end (165.202.148.11 & 172.20.14.7). routing is fine in both end and I found that ACL make me fail.

Situation
1) When I apply ACL in both Router A and Router B. All FTP fail (165.202.148.11 & 172.20.14.7 can't ftp each other)
2) when I apply ACL in RouterA only, 165.202.148.126 can ftp to 172.20.14.7
3) when I apply ACL in RouterB only, 172.20.14.7 can ftp to 165.202.148.126

RouterA
interface Vlan145
ip address 172.20.14.126 255.255.255.0
ip access-group DRRMS_To_GM8 out

ip access-list extended DRRMS_To_GM8
permit tcp host 165.202.148.11 host 172.20.14.7 range ftp-data ftp
permit icmp host 165.202.148.11 host 172.20.14.7
deny ip any host 172.20.14.7
permit ip any any

****************************************

RouterB
interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip access-group GM8_To_DRRMS out

ip access-list extended GM8_To_DRRMS
permit tcp host 172.20.14.7 host 165.202.148.11 range ftp-data ftp
permit icmp host 172.20.14.7 host 165.202.148.11
deny ip any host 165.202.148.11
permit ip any any

nkarpysh · ‎03-05-2012

So if we consider this:

172.20.14.7 - Switch A ---- Switch B 165.202.148.11

Then this flow:

Step 1, 172.20.14.7 initial session (souce port 1024, des port 5900) vnc to 165.202.148.11------hit the ACL outbound (permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900) ON SWITCH B

And this flow:

165.202.148.11 reply with (source port 5900, des port 1024) to 172.20.14.7 -------------not hit the ACL outbound on switch B, BUT HIT ACL OUTBOUND ON SWITCH A - and hit ACL 6 or 8. So ACL 6 and 8 - are for return traffic from SWITCH B, and ACL 1 and 3 are to the intial traffic to Switch B.

Same is for switch A.

Hope this helps,

Nik

HTH,
Niko

View solution in original post

nkarpysh · ‎03-04-2012

Hello,

Enabling ACL on one side - you permit FTP from this side to remote one. But you are blocking reply from this side FTP server to remote client.

Say you have ACL enabled on A.

If now A ftp to be - it will send traffic to FTP 172.20.14.7 port 21 e.g. - it will be allowed by ACL. If then B will send traffic from 172.20.14.7 to 165.202.148.11 on port 21- that will still be allowed as your ACL is in Out direction so Incoming traffic is not filtered. But then 165.202.148.11 will answer to 172.20.14.7 back - this traffic will be blocked as you are not permitting it in ACL. That traffic will go to 172.20.14.7 destinned to random port as side B intiated FTP on random port.

You need to add this line to ACL on both sides.

E.G. on A:

permit tcp host 165.202.148.11 range ftp-data ftp host 172.20.14.7 - by this you will allow traffic from ftp server A to random port intitated FTP on B.

Similar ACL should be applied to B side.

Hope this helps,

Nik

HTH,
Niko

acbennyma · ‎03-05-2012

Dear Nik,

Thanks for your advise. By the way, can I simply use below new ACL to replace previous one?

permit tcp host 165.202.148.11 host 172.20.14.7 range ftp-data ftp

permit tcp host 165.202.148.11 range ftp-data ftp host 172.20.14.7

New

ip access-list extended DRRMS_To_GM8

permit ip host 165.202.148.11 host 172.20.14.7

nkarpysh · ‎03-05-2012

Sure,

That should also do what is needed.

Nik

HTH,
Niko

acbennyma · ‎03-05-2012

Dear Nik,

Does my concept in phase 3 is wrong ? May I ask you the TCP flow?

1) First 165.202.148.11 [source random port (e.g. 1024), des port 21] send traffic to des ip 172.20.14.7
2) When 172.20.14.7 received packet, it will reply with (souce port 21, des port 1024) to 165.202.148.11
3) Then 172.20.14.7 initiate a new connection (source port 1024, des 20 ) to 165.202.148.1. And that's why

165.202.148.1 reply with ( source port 20, des port 1024 ) back to 172.20.14.7. Right ?

nkarpysh · ‎03-05-2012

Basically FTP can work in two modes active or passive.

In active mode client opens two session to server on ports 20 and 21 - bsically clients opens one on 21 for commands control and server initiate another one from it's port 20 for transfer. It will look like"

1) First 165.202.148.11 [source random port (e.g. 1024), des port 21] send traffic to des ip 172.20.14.7

2) When 172.20.14.7 received packet, it will reply with (souce port 21, des port 1024) to 165.202.148.11

3) Then 172.20.14.7 initiate a new connection (source port 20, des 1024 ) to 165.202.148.1.

SO both ports 20 and 21 are opened from server side.

In Passive mode server is not initating the transfer connection but client does it and it looks like:

1) First 165.202.148.11 [source random port (e.g. 1024), des port 21] send traffic to des ip 172.20.14.7

2) When 172.20.14.7 received packet, it will reply with (souce port 21, des port 1024) to 165.202.148.11

3) Then 165.202.148.11 initiate a new connection (source port RANDOM, des RANDOM (provided by server in step 2) ) to 172.20.14.7.

Nik

HTH,
Niko

acbennyma · ‎03-05-2012

Dear Nik,

Apart from FTP function, I also add VNC server that can be work for each other.

Router B ( e.g. VNC server 165.202.148.11 )

interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip access-group GM8_To_DRRMS out

ip access-list extended GM8_To_DRRMS
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5800---ACL1
permit tcp host 172.20.14.7 eq 5800 host 165.202.148.11---ACL2 ---why need to add ?
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900---ACL3
permit tcp host 172.20.14.7 eq 5900 host 165.202.148.11---ACL4 ---why need to add ?

I expect 172.20.14.7 directly initiate a VNC session to 165.202.148.11, that's why need to add ACL 1 & 3.
Howerver, it is fail, I need to add ACL 2 & 4 to make it success. Why?

*********************************************************

Router A (e.g. VNC server is 172.20.14.7)

interface Vlan145
ip address 172.20.14.126 255.255.255.0
ip access-group DRRMS_To_GM8 out

ip access-list extended DRRMS_To_GM8
permit tcp host 165.202.148.11 host 172.20.14.7 eq 5800 ---ACL5
permit tcp host 165.202.148.11 eq 5800 host 172.20.14.7----ACL6 ---why need to add ?
permit tcp host 165.202.148.11 host 172.20.14.7 eq 5900----ACL7
permit tcp host 165.202.148.11 eq 5900 host 172.20.14.7----ACL8 ---why need to add ?

I expect 165.202.148.11 directly initiate a VNC session to 172.20.14.7, that's why need to add ACL 5 & 7.
Howerver, it is fail, I need to add ACL 6 & 8 to make it success. Why?

nkarpysh · ‎03-05-2012

Hello,

as far as I see you need those records for same reason as for FTP. You first of all need to understand what ip access-group GM8_To_DRRMS out means on SVI.

SVI out direction means when traffic flowing in direction out of the physical port which belong to SVI VLAN. If you have two ports withint same VLAN - one of which is Incoming oirt for LAN and other port for WAN - then there will be 2 different OUT direction for that SVI. One OUT of switch to LAN and another out of Switch to WAN.

I'm not sure how your ports are configured thus can't elaborate here - but I guess you are just miss interpreting the VLAN out direction.

If it is possible - it would be helpfull if you draw the diagram and provide config for the ports on the way.

From what I see ACK2 and ACK 4 above are just needed "165.202.148.11 directly initiate a VNC session to 172.20.14.7," and they match not the traffic from 165.202.148.11 to 172.20.14.7. It seems that your SVI is for Local LAN and out direction for it will be poinitng to LAN and not to WAN.

Please double check.

Nik

HTH,
Niko

acbennyma · ‎03-05-2012

Dear Nik,

Attach is my digram for your reference.

nkarpysh · ‎03-05-2012

So your diagram explains the thing:

Looking at config again:

interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip access-group GM8_To_DRRMS out

ip access-list extended GM8_To_DRRMS
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5800---ACL1
permit tcp host 172.20.14.7 eq 5800 host 165.202.148.11---ACL2 ---why need to add ?
permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900---ACL3
permit tcp host 172.20.14.7 eq 5900 host 165.202.148.11---ACL4 ---why need to add ?

ACL 2 and 4 needed because those allowing return traffic from VNC server to pass to 165.202.148.11 in the example above. Return traffic is indeed

172.20.14.7 eq 5800 host 165.202.148.11 RANDOM port which intitated the connection. Without those line return traffic will be examined by the last default ACL line - which is "deny any any".

Similar for the config on the other side switch.

Hope this is clear.

Nik

HTH,
Niko

acbennyma · ‎03-05-2012

Dear Nik,

Sorry, can I clarify one think, my understanding is (Assume 172.20.14.7 is VNC client, 165.202.148.11 is VNC server)

Step 1, 172.20.14.7 initial session (souce port 1024, des port 5900) vnc to 165.202.148.11------hit the ACL outbound (permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900)
Step 2, 165.202.148.11 reply with (source port 5900, des port 1024) to 172.20.14.7 -------------not hit the ACL outbound
Step 3, session completed

If ACL2 & ACL4 is needed, is it mean that after step2, 165.202.148.11 will proactively intitiate new session with (source port 1024, des 5900) to 172.20.14.7.
After 172.20.14.7 received and reply with ( source port 5900, des port 1024 ) to 165.202.148.11. That's why ACL2 and ACL4 is needed

nkarpysh · ‎03-05-2012

So if we consider this:

172.20.14.7 - Switch A ---- Switch B 165.202.148.11

Then this flow:

Step 1, 172.20.14.7 initial session (souce port 1024, des port 5900) vnc to 165.202.148.11------hit the ACL outbound (permit tcp host 172.20.14.7 host 165.202.148.11 eq 5900) ON SWITCH B

And this flow:

165.202.148.11 reply with (source port 5900, des port 1024) to 172.20.14.7 -------------not hit the ACL outbound on switch B, BUT HIT ACL OUTBOUND ON SWITCH A - and hit ACL 6 or 8. So ACL 6 and 8 - are for return traffic from SWITCH B, and ACL 1 and 3 are to the intial traffic to Switch B.

Same is for switch A.

Hope this helps,

Nik

HTH,
Niko

acbennyma · ‎03-06-2012

Dear Nik,

May I ask one more question. My objective is to limit 192.168.1.0/24 to access 165.202.148.100
If two sets of ip address configured in the same interface with applied ACL. just like below configration. Is it work?

interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip address 192.168.1.126 255.255.255.0 secondary
ip access-group GM8_To_DRRMS out

ip access-list extended GM8_To_DRRMS

deny ip any any

or

interface Vlan145
ip address 165.202.148.126 255.255.255.0
ip address 192.168.1.126 255.255.255.0 secondary
ip access-group GM8_To_DRRMS in

ip access-list extended GM8_To_DRRMS
deny ip any any

nkarpysh · ‎03-06-2012

I would avoid deny any any ACL in your config - it will block everything goin Out or In on that VLAN. You must explicitely set up source and destination ip address and put that on interface. I guess it is better to split these subnets into two different SVIs if your router support it - would be much logical and clear from ACL perspective.

Nik

HTH,
Niko