having a problem with FTP through an Access list

BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
Hi Guys I am currently having problems trying to get ftp working through an access list applied to the inside interface of a vlan.

ok here is the situation have a esx box that backs onto a 2691 router and uses dot1Q in a router on a stick style config "a 3560 switch will be purchased soon I hope".

Any way I would like to have all the virtual networks completely separate apart from all being able to be accessed from 1 and all being able to get to an internal ftp site.

So what I have done is applied an access list inbound on the sub interface on the router.
This seems to work well on all apart from ftp I get the authentication that works then that is it nothing I have tried.

permit tcp any host a.a.a.a eq ftp-data
permit tcp any host a.a.a.a eq ftp-data gt 1024
permit tcp any host a.a.a.a eq ftp-data established
permit tcp any host a.a.a.a eq ftp-data gt 1024 established

The errors I get logging the deny statement
deny ip any a.a.a.a 0.255.255.255
%SEC-6-IPACCESSLOGP: list Access list denied tcp b.b.b.b(4034) -> a.a.a.a(1352), 1 packet

If someone can tell me what i am doing wrong it would be great

Thanks you in advance icon_thumright.gif

J

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    That deinied packet does not seem to be an FTP packet.

    FTP is a protocol that will use 2 connections, 1 for control 1 for data transfer. The control will be established from the client on a random port greater than 1023 (you used 1024) to the server port of 21 for control. The connection for the data transfer will be established from the client side or the server side depending on the active or passive mode of the client. Your acl has only taken into account the data port. You need something like this:

    permit tcp host <client ip> gt 1023 host <server-ip> eq 20
    permit tcp host <client ip> gt 1023 host <server-ip> eq 21

    That assumes that the packets are hitting the ACL going from the client to the server, but I think you are doing it the other way around so you need to swap the client and server if that is the case.

    permit tcp host <server-ip> eq 20 host <client ip> gt 1023
    permit tcp host <server-ip> eq 21 host <client ip> gt 1023
    The only easy day was yesterday!
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    Hi thanks for your respounce so far

    i have endered:

    permit tcp any gt 1023 host b.b.b.b eq 20
    permit tcp any gt 1023 host b.b.b.b eq 21
    permit tcp host b.b.b.b eq 20 any gt 1023
    permit tcp host b.b.b.b eq 21 any gt 1023

    just blanket attempt
    What i recive back

    %SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1465) -> b.b.b.b(2361), 1 packet
    %SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1467) -> b.b.b.b(2363), 1 packet
    %SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1469) -> b.b.b.b(2365), 1 packet

    This is a windows 2003 r2 server to 2003r2 IIS based FTP
    i know this trafic only occers when i try to ftp to host b

    just to clear up diagram
    Client
    ACL(in)--interface---interface
    Server

    any help greatfuly recived

    Thanks Again

    J
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Those denied packets may not have anything to do with the FTP traffic. Add the "log" keyword to the permit lines as well so you can see if you are getting hits on them when you attempt to use FTP.
    The only easy day was yesterday!
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    I will add the log statment and post back

    other test done our show ip access-list on this you only see the Permit FTP line incriment and not the permit ftp-data line.
    For the record the authentication works but the data dose not.
    another test i did was to add a permit tcp any host b.b.b.b range 2350 4860 once this was added ftp worked as expected untill the destination port address left the range.
    i am going to rebuild the access list with log statments and post the results.

    thanks again

    J
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    ok so added log statments to ftp ftp-data
    and the deny
    all i got on the console is ftp allow nothing else but still dose not work
    doing a sh ip access-list
    shows the permit ftp line counter incrimenting
    and shows the deny line counter incrimenting nothing else

    i have been reading round the web and have found
    permit tcp any gt 1023 host b.b.b.b range 1023 4096
    seems a bit of a drastic step to me

    Any comment would be great

    Thanks

    J
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Do you have the permit FTP and permit FTP Data lines at the top of the ACL before any deny statements?
    The only easy day was yesterday!
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    Yes

    10 and 20 "cisco 10 20 1,2"

    only deny in ACL is at 60

    Thanks

    J
  • Panzer919Panzer919 Member Posts: 462
    Try opening up your ACL to allow any FTP traffic to any device.

    permit tcp any any eq ftp
    deny any

    see if this still blocks it.
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    Panzer919 wrote: »
    Try opening up your ACL to allow any FTP traffic to any device.

    permit tcp any any eq ftp
    deny any

    see if this still blocks it.

    With out FTP-DATA line
    will try just that with log command on both and post back


    J
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    ok here we go

    ip access-list extended FTP
    permit tcp any any eq ftp log
    deny ip any any log

    %SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3916) -> b.b.b.b(21), 1 packet
    %SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3917) -> b.b.b.b(21), 1 packet
    %SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3919) -> b.b.b.b(21), 1 packet
    %SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3921) -> b.b.b.b(21), 1 packet

    Extended IP access list FTP
    10 permit tcp any any eq ftp log (34 matches)
    20 deny ip any any log (12 matches)
    and it failed no deny log generated but as you can see acl matched
    and ftp still not working

    Cheers

    James
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Have you tried with no ACL to make sure it works at all?

    If it does then throw up a sniffer and see what you are missing.
    An expert is a man who has made all the mistakes which can be made.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Add a "permit tcp any any eq 20"
    The only easy day was yesterday!
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    it works fine without ACl

    ip access-list extended FTP
    permit tcp any any eq ftp log
    permit tcp any any eq FTP-DATA log
    deny ip any any log

    Extended IP access list FTP
    10 permit tcp any any eq ftp log (35 matches)
    20 permit tcp any any eq ftp-data log
    30 deny ip any any log (10 matches)

    i did type eq 20 but the device turned it to the ftp-data as expected
    it sort of feels like the client contacts the server shakes hands then the server says contact me on a port between 1023 4096 for your ftp data.
    This hits the ACL and fails.

    any ideas would be great

    Many thanks

    J
  • jason_lundejason_lunde Member Posts: 567
    Try throwing on an acl with the established commands in again....
    being lines 30 and 40 appended to your previous posts output.

    Extended IP access list FTP
    10 permit tcp any any eq ftp log (35 matches)
    20 permit tcp any any eq ftp-data log
    30 permit tcp any any eq ftp established log
    40 permit tcp any any eq ftp-data established log
    50 deny ip any any log (10 matches)

    See if that does it.

    Jason
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    Try throwing on an acl with the established commands in again....
    being lines 30 and 40 appended to your previous posts output.

    Extended IP access list FTP
    10 permit tcp any any eq ftp log (35 matches)
    20 permit tcp any any eq ftp-data log
    30 permit tcp any any eq ftp established log
    40 permit tcp any any eq ftp-data established log
    50 deny ip any any log (10 matches)

    See if that does it.

    Jason

    The result is the same

    Extended IP access list FTP
    10 permit tcp any any eq ftp log (35 matches)
    20 permit tcp any any eq ftp-data log
    30 permit tcp any any eq ftp established log
    40 permit tcp any any eq ftp-data established log
    50 deny ip any any log (11 matches)

    well nearly still dose the authentication and then nothing cant belive FTP is such a pig through a Basic ACL
    well any help well recived

    Thanks All

    J
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Have you tried to use wireshark or other sniffer to see what you are missing?
    An expert is a man who has made all the mistakes which can be made.
  • Panzer919Panzer919 Member Posts: 462
    I understand that FTP is connection oriented but are there UDP or IP control packets that have to traverse? Have you thought about opening the ACL for TCP, IP and UDP traffic to see if it still gets blocked?

    If that still fails you could try doing the ACL a different way. What if you deny specific traffic and permit TCP any any.
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
  • BADfish10BADfish10 Member Posts: 88 ■■□□□□□□□□
    As far as i can see and tell only tcp is used
    i may have to light wire shark up but as said a solution is to use

    permit tcp any gt 1023 host b.b.b.b range 1023 4096
    this is atleast not the whole TCP port range but i am not happy that there is not just a key comand i am missing.
    it dose say that this is tcp only

    i would of thought the etablish would of done it as it is an established connection but no.

    doing the ACL in adifferent may work i will try later but in all honesty blocking in reverse will grow an ACL from 5 statments to like 50 and i am sure that it will open up a good chance to leave ports open i would not like.

    keep the ideas coming

    Cheers

    J
  • CyanicCyanic Member Posts: 289
  • CyanicCyanic Member Posts: 289
    I don't see a clean way for an ACL as you would have to allow any to server for high ports. I found this, looks dangerous though.

    Active FTP vs Passive FTP Cisco Notepad
    ! Passive FTP
    permit tcp any host 150.1.4.1 eq ftp
    permit tcp any host 150.1.4.1 range 1023 65535

    I am not a Windows expert but can you change your server to only use Active FTP, then use the FTP ACL commands?
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • CyanicCyanic Member Posts: 289
    Sounds like a stateful firewall that can look into the application data is really what is needed.
  • e24ohme24ohm Member Posts: 151
    I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.
    Yes that is a good point, ServU does allow you to do this...wow...I haven't seen ServU mention in over 8 years. I didn't even know it was still around, or being used. I used SerU on my old Windows 95 system.
    Utini!
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.

    proftpd allows you to define a passive range, and I believe vsftpd does as well. This is a common problem, so I would not use any ftp daemon that hasn't evovled well enough to support it
  • APAAPA Member Posts: 959
    Any particular reason you are using Passive mode?

    If possible I would enable active mode... then configure the following if you don't have any packet inspection to eye the return data port (20) and allow it through.

    permit tcp host a.a.a.a host b.b.b.b eq 21
    permit tcp host a.a.a.a host b.b.b.b eq 20

    Make sure the server can contact the client on ports >1023

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • e24ohme24ohm Member Posts: 151
    APA wrote: »
    Any particular reason you are using Passive mode?

    If possible I would enable active mode... then configure the following if you don't have any packet inspection to eye the return data port (20) and allow it through.

    permit tcp host a.a.a.a host b.b.b.b eq 21
    permit tcp host a.a.a.a host b.b.b.b eq 20

    Make sure the server can contact the client on ports >1023
    What are the differences between Passive mode, and Active mode? I did not know that there were two types of FTP.
    Utini!
Sign In or Register to comment.