Solved

FTP and Cisco ACL's

Posted on 2002-05-24
8
1,188 Views
Last Modified: 2013-11-29
How do I make my ACL application aware?  We use port mode for FTP internally and it seems the data connection can't be established.  You can login to the FTP server okay, but any request to the server that requires the data pipe is failing.  The ACL is allowing tcp ports 20 & 21.  However with port mode, I doubt we are actually using port 20 for data.

access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data

All my other services are working great, just can't get FTP to do its thing.  Any help is appreciated.

--M
0
Comment
Question by:mangia
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032261
Is the ACL being applied inbound, or outbound?

Try allowing anything established:

access-list 101 permit tcp any any established

add this line to the bottom of your acl:

access-list 101 deny any any log

This way you can watch the log and see exactly what is being denied and adjust accordingly.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032277
After some research, i found that port-mode used high numbered ports, so you may need to add this line, if the established keyword does not help:

access-list 101 permit tcp any any gt 1024

http://www.cert.org/tech_tips/ftp_port_attacks.html
0
 
LVL 1

Author Comment

by:mangia
ID: 7032342
lrmoore,

The ACL is on our WAN interface, for inbound.  The first line of the ACL is,

access-list 101 permit tcp any any established

Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection.  Plus it's not cool to open 64511 ports to get FTP working.

Is CBAC needed in this case?

--M
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7032455
Are you trying to help you internal users get to outside FTP sites, or outside users to get to your FTP site?
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 11

Expert Comment

by:geoffryn
ID: 7032783
This is a pretty good resource about FTP and firewalls.  

http://slacksite.com/other/ftp.html

and this one is not bad either.

http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
0
 
LVL 1

Author Comment

by:mangia
ID: 7032841
This is for internal users to access outside ftp sites.  Plus MS command line ftp, which I use, does not support pasv mode.

I need to rethink my layered security plan.  I may be effectively negating the investment in our PIX by getting so granular with the router ACL.  I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.

--M
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 7033079
I agree with your assessment. If you have this access-list assigned to the serial interface INbound, that is the wrong place to have it anyway. Let the PIX be the firewall and just use the most basic security on the edge router.

Check out the Executive Summary of the Cisco Router guide here.
http://nsa1.www.conxion.com/

0
 

Expert Comment

by:CleanupPing
ID: 9155648
mangia:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now