?
Solved

FTP and Cisco ACL's

Posted on 2002-05-24
8
Medium Priority
?
1,224 Views
Last Modified: 2013-11-29
How do I make my ACL application aware?  We use port mode for FTP internally and it seems the data connection can't be established.  You can login to the FTP server okay, but any request to the server that requires the data pipe is failing.  The ACL is allowing tcp ports 20 & 21.  However with port mode, I doubt we are actually using port 20 for data.

access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data

All my other services are working great, just can't get FTP to do its thing.  Any help is appreciated.

--M
0
Comment
Question by:mangia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032261
Is the ACL being applied inbound, or outbound?

Try allowing anything established:

access-list 101 permit tcp any any established

add this line to the bottom of your acl:

access-list 101 deny any any log

This way you can watch the log and see exactly what is being denied and adjust accordingly.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032277
After some research, i found that port-mode used high numbered ports, so you may need to add this line, if the established keyword does not help:

access-list 101 permit tcp any any gt 1024

http://www.cert.org/tech_tips/ftp_port_attacks.html
0
 
LVL 1

Author Comment

by:mangia
ID: 7032342
lrmoore,

The ACL is on our WAN interface, for inbound.  The first line of the ACL is,

access-list 101 permit tcp any any established

Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection.  Plus it's not cool to open 64511 ports to get FTP working.

Is CBAC needed in this case?

--M
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 79

Expert Comment

by:lrmoore
ID: 7032455
Are you trying to help you internal users get to outside FTP sites, or outside users to get to your FTP site?
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7032783
This is a pretty good resource about FTP and firewalls.  

http://slacksite.com/other/ftp.html

and this one is not bad either.

http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
0
 
LVL 1

Author Comment

by:mangia
ID: 7032841
This is for internal users to access outside ftp sites.  Plus MS command line ftp, which I use, does not support pasv mode.

I need to rethink my layered security plan.  I may be effectively negating the investment in our PIX by getting so granular with the router ACL.  I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.

--M
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 7033079
I agree with your assessment. If you have this access-list assigned to the serial interface INbound, that is the wrong place to have it anyway. Let the PIX be the firewall and just use the most basic security on the edge router.

Check out the Executive Summary of the Cisco Router guide here.
http://nsa1.www.conxion.com/

0
 

Expert Comment

by:CleanupPing
ID: 9155648
mangia:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question