having a problem with FTP through an Access list

Hi Guys I am currently having problems trying to get ftp working through an access list applied to the inside interface of a vlan.

ok here is the situation have a esx box that backs onto a 2691 router and uses dot1Q in a router on a stick style config "a 3560 switch will be purchased soon I hope".

Any way I would like to have all the virtual networks completely separate apart from all being able to be accessed from 1 and all being able to get to an internal ftp site.

So what I have done is applied an access list inbound on the sub interface on the router.
This seems to work well on all apart from ftp I get the authentication that works then that is it nothing I have tried.

permit tcp any host a.a.a.a eq ftp-data
permit tcp any host a.a.a.a eq ftp-data gt 1024
permit tcp any host a.a.a.a eq ftp-data established
permit tcp any host a.a.a.a eq ftp-data gt 1024 established

The errors I get logging the deny statement
deny ip any a.a.a.a 0.255.255.255
%SEC-6-IPACCESSLOGP: list Access list denied tcp b.b.b.b(4034) -> a.a.a.a(1352), 1 packet

If someone can tell me what i am doing wrong it would be great

Thanks you in advance

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dtlokee

That deinied packet does not seem to be an FTP packet.

FTP is a protocol that will use 2 connections, 1 for control 1 for data transfer. The control will be established from the client on a random port greater than 1023 (you used 1024) to the server port of 21 for control. The connection for the data transfer will be established from the client side or the server side depending on the active or passive mode of the client. Your acl has only taken into account the data port. You need something like this:

permit tcp host <client ip> gt 1023 host <server-ip> eq 20
permit tcp host <client ip> gt 1023 host <server-ip> eq 21

That assumes that the packets are hitting the ACL going from the client to the server, but I think you are doing it the other way around so you need to swap the client and server if that is the case.

permit tcp host <server-ip> eq 20 host <client ip> gt 1023
permit tcp host <server-ip> eq 21 host <client ip> gt 1023

BADfish10

Hi thanks for your respounce so far

i have endered:

permit tcp any gt 1023 host b.b.b.b eq 20
permit tcp any gt 1023 host b.b.b.b eq 21
permit tcp host b.b.b.b eq 20 any gt 1023
permit tcp host b.b.b.b eq 21 any gt 1023

just blanket attempt
What i recive back

%SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1465) -> b.b.b.b(2361), 1 packet
%SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1467) -> b.b.b.b(2363), 1 packet
%SEC-6-IPACCESSLOGP: list Access-list denied tcp a.a.a.a(1469) -> b.b.b.b(2365), 1 packet

This is a windows 2003 r2 server to 2003r2 IIS based FTP
i know this trafic only occers when i try to ftp to host b

just to clear up diagram
Client

ACL(in)--interface---interface

Server

any help greatfuly recived

Thanks Again

J

dtlokee

Those denied packets may not have anything to do with the FTP traffic. Add the "log" keyword to the permit lines as well so you can see if you are getting hits on them when you attempt to use FTP.

BADfish10

I will add the log statment and post back

other test done our show ip access-list on this you only see the Permit FTP line incriment and not the permit ftp-data line.
For the record the authentication works but the data dose not.
another test i did was to add a permit tcp any host b.b.b.b range 2350 4860 once this was added ftp worked as expected untill the destination port address left the range.
i am going to rebuild the access list with log statments and post the results.

thanks again

J

BADfish10

ok so added log statments to ftp ftp-data
and the deny
all i got on the console is ftp allow nothing else but still dose not work
doing a sh ip access-list
shows the permit ftp line counter incrimenting
and shows the deny line counter incrimenting nothing else

i have been reading round the web and have found
permit tcp any gt 1023 host b.b.b.b range 1023 4096
seems a bit of a drastic step to me

Any comment would be great

Thanks

J

dtlokee

Do you have the permit FTP and permit FTP Data lines at the top of the ACL before any deny statements?

BADfish10

Yes

10 and 20 "cisco 10 20 1,2"

only deny in ACL is at 60

Thanks

J

Panzer919

Try opening up your ACL to allow any FTP traffic to any device.

permit tcp any any eq ftp
deny any

see if this still blocks it.

BADfish10

Panzer919 wrote: »

Try opening up your ACL to allow any FTP traffic to any device.

permit tcp any any eq ftp
deny any

see if this still blocks it.

With out FTP-DATA line
will try just that with log command on both and post back

J

BADfish10

ok here we go

ip access-list extended FTP
permit tcp any any eq ftp log
deny ip any any log

%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3916) -> b.b.b.b(21), 1 packet
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3917) -> b.b.b.b(21), 1 packet
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3919) -> b.b.b.b(21), 1 packet
%SEC-6-IPACCESSLOGP: list FTP permitted tcp a.a.a.a(3921) -> b.b.b.b(21), 1 packet

Extended IP access list FTP
10 permit tcp any any eq ftp log (34 matches)
20 deny ip any any log (12 matches)
and it failed no deny log generated but as you can see acl matched
and ftp still not working

Cheers

James

networker050184

Have you tried with no ACL to make sure it works at all?

If it does then throw up a sniffer and see what you are missing.

dtlokee

Add a "permit tcp any any eq 20"

BADfish10

it works fine without ACl

ip access-list extended FTP
permit tcp any any eq ftp log
permit tcp any any eq FTP-DATA log
deny ip any any log

Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 deny ip any any log (10 matches)

i did type eq 20 but the device turned it to the ftp-data as expected
it sort of feels like the client contacts the server shakes hands then the server says contact me on a port between 1023 4096 for your ftp data.
This hits the ACL and fails.

any ideas would be great

Many thanks

J

jason_lunde

Try throwing on an acl with the established commands in again....
being lines 30 and 40 appended to your previous posts output.

Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 permit tcp any any eq ftp established log
40 permit tcp any any eq ftp-data established log
50 deny ip any any log (10 matches)

See if that does it.

Jason

BADfish10

jason_lunde wrote: »

Try throwing on an acl with the established commands in again....
being lines 30 and 40 appended to your previous posts output.

Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 permit tcp any any eq ftp established log
40 permit tcp any any eq ftp-data established log
50 deny ip any any log (10 matches)

See if that does it.

Jason

The result is the same

Extended IP access list FTP
10 permit tcp any any eq ftp log (35 matches)
20 permit tcp any any eq ftp-data log
30 permit tcp any any eq ftp established log
40 permit tcp any any eq ftp-data established log
50 deny ip any any log (11 matches)

well nearly still dose the authentication and then nothing cant belive FTP is such a pig through a Basic ACL
well any help well recived

Thanks All

J

networker050184

Have you tried to use wireshark or other sniffer to see what you are missing?

Panzer919

I understand that FTP is connection oriented but are there UDP or IP control packets that have to traverse? Have you thought about opening the ACL for TCP, IP and UDP traffic to see if it still gets blocked?

If that still fails you could try doing the ACL a different way. What if you deny specific traffic and permit TCP any any.

BADfish10

As far as i can see and tell only tcp is used
i may have to light wire shark up but as said a solution is to use

permit tcp any gt 1023 host b.b.b.b range 1023 4096
this is atleast not the whole TCP port range but i am not happy that there is not just a key comand i am missing.
it dose say that this is tcp only

i would of thought the etablish would of done it as it is an established connection but no.

doing the ACL in adifferent may work i will try later but in all honesty blocking in reverse will grow an ACL from 5 statments to like 50 and i am sure that it will open up a good chance to leave ports open i would not like.

keep the ideas coming

Cheers

J

Cyanic

Based on you logs it looks like the FTP is passive.

http://slacksite.com/other/ftp.html

Cyanic

I don't see a clean way for an ACL as you would have to allow any to server for high ports. I found this, looks dangerous though.

Active FTP vs Passive FTP Cisco Notepad
! Passive FTP
permit tcp any host 150.1.4.1 eq ftp
permit tcp any host 150.1.4.1 range 1023 65535

I am not a Windows expert but can you change your server to only use Active FTP, then use the FTP ACL commands?

creamy_stew

I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.

Cyanic

Sounds like a stateful firewall that can look into the application data is really what is needed.

e24ohm

creamy_stew wrote: »

I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.

Yes that is a good point, ServU does allow you to do this...wow...I haven't seen ServU mention in over 8 years. I didn't even know it was still around, or being used. I used SerU on my old Windows 95 system.

Forsaken_GA

creamy_stew wrote: »

I don't think there's any way around this. Some FTP servers allow you specify a limited port range to use for PASV though, that way you only have to allow those ports through. I know ServU does, probably others.

proftpd allows you to define a passive range, and I believe vsftpd does as well. This is a common problem, so I would not use any ftp daemon that hasn't evovled well enough to support it

APA

Any particular reason you are using Passive mode?

If possible I would enable active mode... then configure the following if you don't have any packet inspection to eye the return data port (20) and allow it through.

permit tcp host a.a.a.a host b.b.b.b eq 21
permit tcp host a.a.a.a host b.b.b.b eq 20

Make sure the server can contact the client on ports >1023

e24ohm

APA wrote: »

Any particular reason you are using Passive mode?

If possible I would enable active mode... then configure the following if you don't have any packet inspection to eye the return data port (20) and allow it through.

permit tcp host a.a.a.a host b.b.b.b eq 21
permit tcp host a.a.a.a host b.b.b.b eq 20

Make sure the server can contact the client on ports >1023

What are the differences between Passive mode, and Active mode? I did not know that there were two types of FTP.