Access-List with Passive and Active FTP 1

[gbecker]

I am having a slight problem with FTP for my users. I know I am missing something stupid, but I just can't find it. Basically anyone one on the outside Ethernet1 can FTP in both Passive and Active (this is what I need), however my users Ethernet0 can not connect to outside FTP sites in Passive mode, but are succesful in active mode. My users need to be able to connect in both modes. Below is the access-list.

Thank you
Glen


interface Ethernet0
ip access-group 120 in
no ip mroute-cache
no cdp enable
!
interface Ethernet1
ip access-group 121 in
no ip mroute-cache
duplex auto
no cdp enable


access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 3389
access-list 120 permit tcp any any eq domain
access-list 120 permit udp any any eq domain
access-list 120 permit icmp any any
access-list 120 permit tcp any any established
access-list 120 permit tcp any any eq 8080
access-list 120 deny udp any any range 0 1023
access-list 120 deny udp any any eq 2140
access-list 120 deny udp any any eq 18753
access-list 120 deny udp any any eq 20433
access-list 120 deny udp any any eq 27444
access-list 120 deny udp any any eq 31335
access-list 120 permit tcp any any eq 143
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 1024
access-list 120 permit tcp any any eq 1026
access-list 120 permit tcp any any range 5500 5700
access-list 120 permit tcp any any eq 15871
access-list 120 permit tcp any any eq 24243
access-list 120 permit tcp any eq ftp-data any gt 1023
access-list 120 permit tcp any eq ftp-data any gt 1024
access-list 121 permit tcp any any eq www
access-list 121 permit tcp any any eq ftp-data
access-list 121 permit tcp any any eq ftp
access-list 121 permit tcp any any eq telnet
access-list 121 permit tcp any any eq 3389
access-list 121 permit tcp any any eq domain
access-list 121 permit icmp any any
access-list 121 permit tcp any any established
access-list 121 permit tcp any any eq 8080
access-list 121 permit udp any any range 1024 65535
access-list 121 deny udp any any range 0 1023
access-list 121 deny udp any any eq 2140
access-list 121 deny udp any any eq 18753
access-list 121 deny udp any any eq 20433
access-list 121 deny udp any any eq 27444
access-list 121 deny udp any any eq 31335
access-list 121 permit tcp any any eq smtp
access-list 121 permit tcp any any eq 143
access-list 121 permit tcp any any eq 443
access-list 121 permit tcp any any eq 1024
access-list 121 permit tcp any any eq 1026
access-list 121 permit tcp any any range 5500 5700
access-list 121 permit tcp any eq ftp-data any gt 1023
access-list 121 permit tcp any eq ftp-data any gt 1024

 

[lambent]

Check your FTP-data port for PASV mode in the FTP server. Sometimes it's not necessarily the default port 20 when using PASV mode.

 

[gbecker]

I did some research and found that the FTP server was correct. I first updated my access-list and found that when the users try and connect to a passive FTP site they can login, but thats it. I then noticed that when an outside user connect to our ftp site in passive mode it works because of the line below.

access-list 121 permit tcp any any range 5500 5700

The log for our FTP server shows this
227 Entering Passive Mode (x,x,x,x,7,172).
connecting to x.x.x.x:5510
- -
connecting to x.x.x.x ...
Connected to x.x.x.x port 5510

I then called the company and asked them what ports their FTP server used and they said 20,21. But did not know anything else. They did however give me the ip address of the FTP server. y.y.y.y

Is there a way to develop an access-list that will only open all ports incomming from that IP address? I think it would read access-list 120 permit tcp ???????

Thanks
Glen

 

[Zen37]

Your E1 has this line in the access-list

access-list 121 permit udp any any range 1024 65535

While it is not there for your E0

could that be it?

 

[gbecker]

Does FTP use UDP ports?

 

[Zen37]

Passive maybe, i don't know to be honest.

 

[ADB100]

The Firewall Feature set will give you what you want. It understands a number of protocols and can dynamically open ports in an ACL to allow access - it understands FTP.

http://www.cisco.com/en/US/products...ducts_feature_guide_book09186a00800881ca.html

I have this configured on my DSL router and it works well, although it took me a couple of days with Ethereal and debug to get it exactly as I wanted it.

Good luck

Andy

 

[gbecker]

I went to your link, but did not find anything about using an access list to allow ip address y.y.y.y to any on any port.

Can you be a little more specific.

Thanks
Glen

 

[ADB100]

You misunderstood I think. The Firewall feature set is an add-on you can buy (download) and allows some clever firewalling techniques integrated into IOS.

The way it works is there is an ACL attached to an interface (usually your outside inbound interface) that allows some static access to certain services. In addition to this the Firewall service is enabled on your internal interface 'watching' connections. You can enable certain Layer-4 protocols (FTP being one of these) that the Firewall service understands, when it 'sees' connections it follows the converstaions and dynamically opens ports on the inbound ACL to allow connections such as FTP data (as in your case).

Andy

 

[lambent]

or like Andy said, you can first allow all traffic and then use Ethereal on your FTP client and check the ports used in PASV mode. Then change the ACL accordingly and re-apply the ACL.

 

[gbecker]

I would like to thank everyone for their help. Everyones Ideas lead me to this fix.

access-list 120 permit tcp 192.0.0.0 0.0.0.255 gt 1023 host y.y.y.y gt 1023