mangia
asked on
FTP and Cisco ACL's
How do I make my ACL application aware? We use port mode for FTP internally and it seems the data connection can't be established. You can login to the FTP server okay, but any request to the server that requires the data pipe is failing. The ACL is allowing tcp ports 20 & 21. However with port mode, I doubt we are actually using port 20 for data.
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
All my other services are working great, just can't get FTP to do its thing. Any help is appreciated.
--M
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
All my other services are working great, just can't get FTP to do its thing. Any help is appreciated.
--M
After some research, i found that port-mode used high numbered ports, so you may need to add this line, if the established keyword does not help:
access-list 101 permit tcp any any gt 1024
http://www.cert.org/tech_tips/ftp_port_attacks.html
access-list 101 permit tcp any any gt 1024
http://www.cert.org/tech_tips/ftp_port_attacks.html
ASKER
lrmoore,
The ACL is on our WAN interface, for inbound. The first line of the ACL is,
access-list 101 permit tcp any any established
Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection. Plus it's not cool to open 64511 ports to get FTP working.
Is CBAC needed in this case?
--M
The ACL is on our WAN interface, for inbound. The first line of the ACL is,
access-list 101 permit tcp any any established
Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection. Plus it's not cool to open 64511 ports to get FTP working.
Is CBAC needed in this case?
--M
Are you trying to help you internal users get to outside FTP sites, or outside users to get to your FTP site?
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
This is a pretty good resource about FTP and firewalls.
http://slacksite.com/other/ftp.html
and this one is not bad either.
http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
http://slacksite.com/other/ftp.html
and this one is not bad either.
http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
ASKER
This is for internal users to access outside ftp sites. Plus MS command line ftp, which I use, does not support pasv mode.
I need to rethink my layered security plan. I may be effectively negating the investment in our PIX by getting so granular with the router ACL. I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.
--M
I need to rethink my layered security plan. I may be effectively negating the investment in our PIX by getting so granular with the router ACL. I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.
--M
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mangia:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
Try allowing anything established:
access-list 101 permit tcp any any established
add this line to the bottom of your acl:
access-list 101 deny any any log
This way you can watch the log and see exactly what is being denied and adjust accordingly.