• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1250
  • Last Modified:

FTP and Cisco ACL's

How do I make my ACL application aware?  We use port mode for FTP internally and it seems the data connection can't be established.  You can login to the FTP server okay, but any request to the server that requires the data pipe is failing.  The ACL is allowing tcp ports 20 & 21.  However with port mode, I doubt we are actually using port 20 for data.

access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data

All my other services are working great, just can't get FTP to do its thing.  Any help is appreciated.

--M
0
mangia
Asked:
mangia
1 Solution
 
lrmooreCommented:
Is the ACL being applied inbound, or outbound?

Try allowing anything established:

access-list 101 permit tcp any any established

add this line to the bottom of your acl:

access-list 101 deny any any log

This way you can watch the log and see exactly what is being denied and adjust accordingly.
0
 
lrmooreCommented:
After some research, i found that port-mode used high numbered ports, so you may need to add this line, if the established keyword does not help:

access-list 101 permit tcp any any gt 1024

http://www.cert.org/tech_tips/ftp_port_attacks.html
0
 
mangiaAuthor Commented:
lrmoore,

The ACL is on our WAN interface, for inbound.  The first line of the ACL is,

access-list 101 permit tcp any any established

Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection.  Plus it's not cool to open 64511 ports to get FTP working.

Is CBAC needed in this case?

--M
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
lrmooreCommented:
Are you trying to help you internal users get to outside FTP sites, or outside users to get to your FTP site?
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
0
 
geoffrynCommented:
This is a pretty good resource about FTP and firewalls.  

http://slacksite.com/other/ftp.html

and this one is not bad either.

http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
0
 
mangiaAuthor Commented:
This is for internal users to access outside ftp sites.  Plus MS command line ftp, which I use, does not support pasv mode.

I need to rethink my layered security plan.  I may be effectively negating the investment in our PIX by getting so granular with the router ACL.  I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.

--M
0
 
lrmooreCommented:
I agree with your assessment. If you have this access-list assigned to the serial interface INbound, that is the wrong place to have it anyway. Let the PIX be the firewall and just use the most basic security on the edge router.

Check out the Executive Summary of the Cisco Router guide here.
http://nsa1.www.conxion.com/

0
 
CleanupPingCommented:
mangia:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now