having a problem with FTP through an Access list
Hi Guys I am currently having problems trying to get ftp working through an access list applied to the inside interface of a vlan.
ok here is the situation have a esx box that backs onto a 2691 router and uses dot1Q in a router on a stick style config "a 3560 switch will be purchased soon I hope".
Any way I would like to have all the virtual networks completely separate apart from all being able to be accessed from 1 and all being able to get to an internal ftp site.
So what I have done is applied an access list inbound on the sub interface on the router.
This seems to work well on all apart from ftp I get the authentication that works then that is it nothing I have tried.
permit tcp any host a.a.a.a eq ftp-data
permit tcp any host a.a.a.a eq ftp-data gt 1024
permit tcp any host a.a.a.a eq ftp-data established
permit tcp any host a.a.a.a eq ftp-data gt 1024 established
The errors I get logging the deny statement
deny ip any a.a.a.a 0.255.255.255
%SEC-6-IPACCESSLOGP: list Access list denied tcp b.b.b.b(4034) -> a.a.a.a(1352), 1 packet
If someone can tell me what i am doing wrong it would be great
Thanks you in advance
J
ok here is the situation have a esx box that backs onto a 2691 router and uses dot1Q in a router on a stick style config "a 3560 switch will be purchased soon I hope".
Any way I would like to have all the virtual networks completely separate apart from all being able to be accessed from 1 and all being able to get to an internal ftp site.
So what I have done is applied an access list inbound on the sub interface on the router.
This seems to work well on all apart from ftp I get the authentication that works then that is it nothing I have tried.
permit tcp any host a.a.a.a eq ftp-data
permit tcp any host a.a.a.a eq ftp-data gt 1024
permit tcp any host a.a.a.a eq ftp-data established
permit tcp any host a.a.a.a eq ftp-data gt 1024 established
The errors I get logging the deny statement
deny ip any a.a.a.a 0.255.255.255
%SEC-6-IPACCESSLOGP: list Access list denied tcp b.b.b.b(4034) -> a.a.a.a(1352), 1 packet
If someone can tell me what i am doing wrong it would be great
Thanks you in advance
J
Comments
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
That deinied packet does not seem to be an FTP packet.
FTP is a protocol that will use 2 connections, 1 for control 1 for data transfer. The control will be established from the client on a random port greater than 1023 (you used 1024) to the server port of 21 for control. The connection for the data transfer will be established from the client side or the server side depending on the active or passive mode of the client. Your acl has only taken into account the data port. You need something like this:
permit tcp host <client ip> gt 1023 host <server-ip> eq 20
permit tcp host <client ip> gt 1023 host <server-ip> eq 21
That assumes that the packets are hitting the ACL going from the client to the server, but I think you are doing it the other way around so you need to swap the client and server if that is the case.
permit tcp host <server-ip> eq 20 host <client ip> gt 1023
permit tcp host <server-ip> eq 21 host <client ip> gt 1023The only easy day was yesterday! -
BADfish10
Member Posts: 88 ■■□□□□□□□□
Hi thanks for your respounce so far
i have endered:
permit tcp any gt 1023 host b.b.b.b eq 20
permit tcp any gt 1023 host b.b.b.b eq 21
permit tcp host b.b.b.b eq 20 any gt 1023
permit tcp host b.b.b.b eq 21 any gt 1023
just blanket attempt
What i recive back
%SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1465) -> b.b.b.b(2361), 1 packet
%SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1467) -> b.b.b.b(2363), 1 packet
%SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1469) -> b.b.b.b(2365), 1 packet
This is a windows 2003 r2 server to 2003r2 IIS based FTP
i know this trafic only occers when i try to ftp to host b
just to clear up diagram
Client
ACL(in)--interface---interface
Server
any help greatfuly recived
Thanks Again
J -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Those denied packets may not have anything to do with the FTP traffic. Add the "log" keyword to the permit lines as well so you can see if you are getting hits on them when you attempt to use FTP.The only easy day was yesterday!
-
BADfish10
Member Posts: 88 ■■□□□□□□□□
I will add the log statment and post back
other test done our show ip access-list on this you only see the Permit FTP line incriment and not the permit ftp-data line.
For the record the authentication works but the data dose not.
another test i did was to add a permit tcp any host b.b.b.b range 2350 4860 once this was added ftp worked as expected untill the destination port address left the range.
i am going to rebuild the access list with log statments and post the results.
thanks again
J -
BADfish10
Member Posts: 88 ■■□□□□□□□□
ok so added log statments to ftp ftp-data
and the deny
all i got on the console is ftp allow nothing else but still dose not work
doing a sh ip access-list
shows the permit ftp line counter incrimenting
and shows the deny line counter incrimenting nothing else
i have been reading round the web and have found
permit tcp any gt 1023 host b.b.b.b range 1023 4096
seems a bit of a drastic step to me
Any comment would be great
Thanks
J -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Do you have the permit FTP and permit FTP Data lines at the top of the ACL before any deny statements?The only easy day was yesterday!
-
BADfish10
Member Posts: 88 ■■□□□□□□□□
Yes
10 and 20 "cisco 10 20 1,2"
only deny in ACL is at 60
Thanks
J -
Panzer919
Member Posts: 462
Try opening up your ACL to allow any FTP traffic to any device.
permit tcp any any eq ftp
deny any
see if this still blocks it.Cisco Brat Blog
I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.
Luck is where opportunity and proper planning meet
I have not failed. I've just found 10,000 ways that won't work.
Thomas A. Edison -
BADfish10
Member Posts: 88 ■■□□□□□□□□
Try opening up your ACL to allow any FTP traffic to any device.
permit tcp any any eq ftp
deny any
see if this still blocks it.
With out FTP-DATA line
will try just that with log command on both and post back
J -
BADfish10
Member Posts: 88 ■■□□□□□□□□
ok here we go
ip access-list extended FTP
permit tcp any any eq ftp log
deny ip any any log
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3916) -> b.b.b.b(21), 1 packet
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3917) -> b.b.b.b(21), 1 packet
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3919) -> b.b.b.b(21), 1 packet
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3921) -> b.b.b.b(21), 1 packet
Extended IP access list FTP
10 permit tcp any any eq ftp log (34 matches)
20 deny ip any any log (12 matches)
and it failed no deny log generated but as you can see acl matched
and ftp still not working
Cheers
James -
networker050184
Mod Posts: 11,962 Mod
Have you tried with no ACL to make sure it works at all?
If it does then throw up a sniffer and see what you are missing.An expert is a man who has made all the mistakes which can be made. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Add a "permit tcp any any eq 20"The only easy day was yesterday!
-
BADfish10
Member Posts: 88 ■■□□□□□□□□
it works fine without ACl
ip access-list extended FTP
permit tcp any any eq ftp log
permit tcp any any eq FTP-DATA log
deny ip any any log
Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 deny ip any any log (10 matches)
i did type eq 20 but the device turned it to the ftp-data as expected
it sort of feels like the client contacts the server shakes hands then the server says contact me on a port between 1023 4096 for your ftp data.
This hits the ACL and fails.
any ideas would be great
Many thanks
J -
jason_lunde
Member Posts: 567
Try throwing on an acl with the established commands in again....
being lines 30 and 40 appended to your previous posts output.
Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 permit tcp any any eq ftp established log
40 permit tcp any any eq ftp-data established log
50 deny ip any any log (10 matches)
See if that does it.
Jason -
BADfish10
Member Posts: 88 ■■□□□□□□□□
jason_lunde wrote: »Try throwing on an acl with the established commands in again....
being lines 30 and 40 appended to your previous posts output.
Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 permit tcp any any eq ftp established log
40 permit tcp any any eq ftp-data established log
50 deny ip any any log (10 matches)
See if that does it.
Jason
The result is the same
Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 permit tcp any any eq ftp established log
40 permit tcp any any eq ftp-data established log
50 deny ip any any log (11 matches)
well nearly still dose the authentication and then nothing cant belive FTP is such a pig through a Basic ACL
well any help well recived
Thanks All
J -
networker050184
Mod Posts: 11,962 Mod
Have you tried to use wireshark or other sniffer to see what you are missing?An expert is a man who has made all the mistakes which can be made.
-
Panzer919
Member Posts: 462
I understand that FTP is connection oriented but are there UDP or IP control packets that have to traverse? Have you thought about opening the ACL for TCP, IP and UDP traffic to see if it still gets blocked?
If that still fails you could try doing the ACL a different way. What if you deny specific traffic and permit TCP any any.Cisco Brat Blog
I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.
Luck is where opportunity and proper planning meet
I have not failed. I've just found 10,000 ways that won't work.
Thomas A. Edison -
BADfish10
Member Posts: 88 ■■□□□□□□□□
As far as i can see and tell only tcp is used
i may have to light wire shark up but as said a solution is to use
permit tcp any gt 1023 host b.b.b.b range 1023 4096
this is atleast not the whole TCP port range but i am not happy that there is not just a key comand i am missing.
it dose say that this is tcp only
i would of thought the etablish would of done it as it is an established connection but no.
doing the ACL in adifferent may work i will try later but in all honesty blocking in reverse will grow an ACL from 5 statments to like 50 and i am sure that it will open up a good chance to leave ports open i would not like.
keep the ideas coming
Cheers
J -
Cyanic
Member Posts: 289
I don't see a clean way for an ACL as you would have to allow any to server for high ports. I found this, looks dangerous though.
Active FTP vs Passive FTP Cisco Notepad
! Passive FTP
permit tcp any host 150.1.4.1 eq ftp
permit tcp any host 150.1.4.1 range 1023 65535
I am not a Windows expert but can you change your server to only use Active FTP, then use the FTP ACL commands? -
creamy_stew
Member Posts: 406 ■■■□□□□□□□
I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.
-
Cyanic
Member Posts: 289
Sounds like a stateful firewall that can look into the application data is really what is needed.
-
e24ohm
Member Posts: 151
Yes that is a good point, ServU does allow you to do this...wow...I haven't seen ServU mention in over 8 years. I didn't even know it was still around, or being used. I used SerU on my old Windows 95 system.creamy_stew wrote: »I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.Utini! -
Forsaken_GA
Member Posts: 4,024
creamy_stew wrote: »I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.
proftpd allows you to define a passive range, and I believe vsftpd does as well. This is a common problem, so I would not use any ftp daemon that hasn't evovled well enough to support it -
APA
Member Posts: 959
Any particular reason you are using Passive mode?
If possible I would enable active mode... then configure the following if you don't have any packet inspection to eye the return data port (20) and allow it through.
permit tcp host a.a.a.a host b.b.b.b eq 21
permit tcp host a.a.a.a host b.b.b.b eq 20
Make sure the server can contact the client on ports >1023
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
e24ohm
Member Posts: 151
What are the differences between Passive mode, and Active mode? I did not know that there were two types of FTP.Any particular reason you are using Passive mode?
If possible I would enable active mode... then configure the following if you don't have any packet inspection to eye the return data port (20) and allow it through.
permit tcp host a.a.a.a host b.b.b.b eq 21
permit tcp host a.a.a.a host b.b.b.b eq 20
Make sure the server can contact the client on ports >1023Utini!
