• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

Passive SSL ftp problem PIX 515

Hi Guys (again)

I am setting up an FTP server on the DMZ network of two PIX 515's. The FTP server is WS FTP Serverand has been configured with the correct out going IP address and port range for passive connections, here is the config for the machine I have on the PIX:

name 192.168.11.1 ftpserver
access-list outside_access_in permit tcp any host x.x.x.x eq ftp
access-list outside_access_in permit tcp any host x.x.x.x range 40000 5000
0
access-list outside_access_in permit tcp any host x.x.x.x eq https

static (DMZ,outside) x.x.x.x ftpserver netmask 255.255.255.255 0 0

When I try to connect I get this:

Started on Tuesday May 09, 2006 at 18:21:PM
Connect socket #780 to x.x.x.x, port 21...
220 ftp01.xxxxxxxxx.com X2 WS_FTP Server 5.0.5 (136235678)  
AUTH SSL  
234 SSL enabled and waiting for negotiation  
TLSv1, cipher TLSv1/SSLv3 (DHE-RSA-AES128-SHA) - 128 bit
USER xxxxxxxx  
331 Password required  
PASS **********  
230 user logged in  
SYST  
215 UNIX  
Keep alive off...
PWD  
257 "/users/xxxxxxx" is current directory  
PBSZ 0  
200 PBSZ=0  
PROT P  
200 PRIVATE data channel protection level set  
PASV  
227 Entering Passive Mode (216,27,90,96,156,65).  
LIST  
Connect socket #856 to xxxxxxx, port 40001...
timeout
QUIT  
226 abort successful  

If I try it Active it works fine!

Can anyone let me know what I have done wrong!

I do not have any fix ups configured (not even for ftp) as this seems to break it completely

Thanks

Kevin
0
kjorviss
Asked:
kjorviss
  • 4
  • 4
1 Solution
 
Cyclops3590Commented:
what version of OS do you have?  I am assuming a 6.X since you're talking about fixups
also you have applied the acl to the outside interface with the access-group command, correct?


also, can you connect passively from a host on the same segment as the ftp server (in other words, take the firewall out of the mix)
0
 
kjorvissAuthor Commented:
The IOS is  6.3.5, the assces group statement is "access-group outside_access_in in interface outside" and I can passivly connect to it on the same LAN segement.

It works fine with active FTP but as soon as the clent tries to reply back on a port the FTP server has choosen it does not work.

THanks

Kevin
0
 
Cyclops3590Commented:
i'd like for you to run a test for me, run ethereal on a client outside of the firewall when you try to connect passively.  My assumption is that if you can connect internally without issue and you turned off the ftp fixup, the the ftp server is probably sending its internal IP to the outside client which of course the outside client would never know where that IP is since it'd need the outside IP address.  Ethereal should tell you which IP the client is trying to connect to during that process though.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kjorvissAuthor Commented:
Hi Cyclops3590

The FTP server has a "Firewall" section where you can specify the public address and the passive port range. I have these configured on the server and when I use a client off or on the firewall with Core FTP Pro I can see the public address in its log. It is only when I am going through the firewall and the FTP server has told the client which port to use in the 40000 - 50000 range (configured on the FTP server and the firewall) it breaks. It is like the range I have specified on the PIX is not working. It is definatley the firewall that is doing it. If I remove the port range from the FTP server, then it will work but on random port numbers, I am guessing are determined by the PIX.

If I do not configure the FTP server for the passive port range or IP( and use fixups on the PIX ), it still works, BUT I can see the private "192" address in the Core FTP progress window:

192.168.11.1 -> x.x.x.x

I am completelty confused by it, but I thing my port range line in my original answer is not working, but do not know how to fix it.

THanks

Kevin
0
 
Cyclops3590Commented:
really you should use the fixup ftp because the pix will know to allow that.  however, since you have an access list to allow those ports and pass them on they should be going.  also, please try the ethereal just to be certain.  also while you are doing this passive mode connection run captures on the pix to see the data.

btw, do you have the pix log to a syslog server? this is how I look thru the logs, but i'm pretty sure you can dump them to screen as well.
0
 
kjorvissAuthor Commented:
I am going back to the data centre tomorrow..... I will try the fixups again, but if I use the FTP fixup then the firewall tries to reanslate the address the FTP server has already translated to the public address. I will see if the FTP server will let me leave the Public IP field blank and just have the ports and I will let you know how it goes.

Thanks

Kevin
0
 
Cyclops3590Commented:
that's what i'd recommend.
0
 
kjorvissAuthor Commented:
Configuring the fix ups for the IP and the ports, but leaving the port config on the FTP server BUT removing the public IP config from the Server worked!
0
 
oh4realCommented:
Cyclops.  Sounds like you helped out a lot. I am 'similar' situation, but tired of bashing my head against wall with setting up FTPS for 100s-1000s of users who will need secure FTP upload once every couple of weeks, each.  I have them nicely chrooted and 'jailed' on the server, once they get there, but can't get them there if I use FTPS explicit protocols - contacts via :21, then gets assigned to 60,000-65,000 for data.  As per this discussion above everything is fine until the LIST command is sent, when it times out.

Status:      Resolving IP-Address for askjeeves .net
Status:      Connecting to X.X.X.X:21...
Status:      Connection established, waiting for welcome message...
Response:      220 ProFTPD 1.3.0 Server (ProFTPD) [X.X.X.X]
Command:      AUTH TLS
Response:      234 AUTH TLS successful
Status:      Initializing TLS...
Command:      USER askjeeves
Status:      Verifying certificate...
Status:      TLS/SSL connection established.
Response:      331 Password required for askjeeves .
Command:      PASS *************
Response:      230 User askjeeves logged in.
Command:      PBSZ 0
Response:      200 PBSZ 0 successful
Command:      PROT P
Response:      200 Protection set to Private
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (X,X,X,X,242,235).
Command:      LIST
Error:      Connection timed out
Error:      Failed to retrieve directory listing

I have hosted, dedicated linux server (FC6 running ProFTPD as FTP Server) behind PIX 501 Hardware Firewall with v6.3(5).

I have set up FTP server to PassivePorts 60000 to 65000 and want/need PIX to start listening on these ports and just push everything through, 'no questions asked' and let FTP server, which presumably is listening, deal with them.

Here is my PIX config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password gobbledeegook.b encrypted
passwd gobbledeegook.b encrypted
hostname pixfirewall
domain-name linux.hostingservice.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 205.209.0.0 spam1
name 64.202.189.0 spam2
name 220.132.164.0 spam3
access-list outside_access_in deny tcp spam3 255.255.255.0 any eq smtp
access-list outside_access_in deny tcp spam1 255.255.0.0 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ssh
access-list outside_access_in permit tcp any range 60000 65000 any range 60000 65000 log
access-list outside_access_in permit tcp any any eq 42
access-list outside_access_in permit udp any any eq nameserver
access-list outside_access_in permit tcp any any eq domain
access-list outside_access_in permit udp any any eq domain
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 465
access-list outside_access_in permit tcp any any eq 587
access-list outside_access_in permit tcp any any eq 995
access-list outside_access_in permit tcp any any eq 993
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 8443
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in permit tcp any any eq 2086
access-list outside_access_in permit tcp any any eq 2087
access-list outside_access_in permit tcp any any eq 2082
access-list outside_access_in permit tcp any any eq 2083
access-list outside_access_in permit tcp any any eq 2096
access-list outside_access_in permit tcp any any eq 2095
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in deny tcp any any eq imap4
access-list outside_access_in deny tcp any any eq 1433
access-list outside_access_in deny tcp any any eq 3306
access-list outside_access_in deny tcp any any eq 9080
access-list outside_access_in deny tcp any any eq 9090
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in deny tcp spam2 255.255.255.0 any eq smtp
access-list access-outside-in deny tcp spam3 255.255.255.0 any eq smtp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside fire.wall.IP.address 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.1 255.255.255.255 inside
pdm location Public.IP.Add.ress 255.255.255.255 outside
pdm location spam1 255.255.0.0 outside
pdm location spam2 255.255.255.0 outside
pdm location spam3 255.255.255.0 outside
pdm history enable
arp timeout 14400
static (outside,inside) 10.0.0.1 Public.IP.Add.ress netmask 255.255.255.255 0 0
static (inside,outside) Public.IP.Add.ress 10.0.0.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 fire.wall.IP.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access outside
console timeout 0
username euripidies password morecraZYtalk encrypted privilege 15
terminal width 80
Cryptochecksum:
: end
[OK]

I was barely 'learned' enough to figure out how to shut down MASSIVE SMTP attackers, and wasted days, literally, listening to hosting services advice to 'upgrade Java' when faced with rarely being able to get PDM to work - when downgrading was the right answer.

I don't know what 'ephemeral' is, although I do know what it is in the context of FTP, it is the port the client or server is saying it will be using for SSL.

Any guidance you might be able to offer would be greatly appreciated.  Considering this issue must face EVERY one who wants to set up FTPS behind a PIX 501, I would expect a clearer answer out there...

REgards
oh4real
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now