Solved

FTP and Cisco ACL's

Posted on 2002-05-24
8
1,193 Views
Last Modified: 2013-11-29
How do I make my ACL application aware?  We use port mode for FTP internally and it seems the data connection can't be established.  You can login to the FTP server okay, but any request to the server that requires the data pipe is failing.  The ACL is allowing tcp ports 20 & 21.  However with port mode, I doubt we are actually using port 20 for data.

access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data

All my other services are working great, just can't get FTP to do its thing.  Any help is appreciated.

--M
0
Comment
Question by:mangia
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032261
Is the ACL being applied inbound, or outbound?

Try allowing anything established:

access-list 101 permit tcp any any established

add this line to the bottom of your acl:

access-list 101 deny any any log

This way you can watch the log and see exactly what is being denied and adjust accordingly.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032277
After some research, i found that port-mode used high numbered ports, so you may need to add this line, if the established keyword does not help:

access-list 101 permit tcp any any gt 1024

http://www.cert.org/tech_tips/ftp_port_attacks.html
0
 
LVL 1

Author Comment

by:mangia
ID: 7032342
lrmoore,

The ACL is on our WAN interface, for inbound.  The first line of the ACL is,

access-list 101 permit tcp any any established

Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection.  Plus it's not cool to open 64511 ports to get FTP working.

Is CBAC needed in this case?

--M
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 79

Expert Comment

by:lrmoore
ID: 7032455
Are you trying to help you internal users get to outside FTP sites, or outside users to get to your FTP site?
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7032783
This is a pretty good resource about FTP and firewalls.  

http://slacksite.com/other/ftp.html

and this one is not bad either.

http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
0
 
LVL 1

Author Comment

by:mangia
ID: 7032841
This is for internal users to access outside ftp sites.  Plus MS command line ftp, which I use, does not support pasv mode.

I need to rethink my layered security plan.  I may be effectively negating the investment in our PIX by getting so granular with the router ACL.  I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.

--M
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 7033079
I agree with your assessment. If you have this access-list assigned to the serial interface INbound, that is the wrong place to have it anyway. Let the PIX be the firewall and just use the most basic security on the edge router.

Check out the Executive Summary of the Cisco Router guide here.
http://nsa1.www.conxion.com/

0
 

Expert Comment

by:CleanupPing
ID: 9155648
mangia:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question