CBAC - FTP and PAT

ppalmerjr · ‎09-04-2013

We have an unclass setup where we are PAT'ing to the internet via a 2911 router. We've found that passive FTP from internal (client) to public ftp server is not working and I've confirmed there is no ACL denying. The initial connection (login) is fine but when trying to actually send data we see timeouts. I'm thinking this is because I'm not doing this on a firewall with inspect ftp enabled.

So I enabled the security feature so I could configure CBAC but that doesn't seem to correct my problem with FTP (active and/or passive). G0/0 is my interface to the outside world and I'm applying the CBAC there. Let me know what you think....I'm sure someone has ran into this before and I'm stumped here.

Below are snippits of my config...

OUTPUT and CONFIG snippets

ip inspect name firewall ftp
ip inspect name firewall tcp
access-list 199 deny   ip any any
interface GigabitEthernet0/0
    ip address x.x.x.x x.x.x.x
    ip access-group 199 in
    no ip redirects
    ip nat outside
    ip inspect firewall out
    ip virtual-reassembly in

"show inspect all" shows the following and indicates to me that it is applied correctly. I even see the router tracking (inspecting sessions) via the "show inspect sessions" command.

#sho ip inspect all

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [unlimited : unlimited] connections

max-incomplete sessions thresholds are [unlimited : unlimited]

max-incomplete tcp connections per host is unlimited. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name firewall

ftp alert is on audit-trail is off timeout 3600

tcp alert is on audit-trail is off timeout 3600

Interface Configuration

Interface GigabitEthernet0/0

Inbound inspection rule is not set

Outgoing inspection rule is firewall

ftp alert is on audit-trail is off timeout 3600

tcp alert is on audit-trail is off timeout 3600

dns alert is on audit-trail is off timeout 30

Inbound access list is 199

Outgoing access list is not set

ERROR WHEN TRYING FTP

ftp> open

To ftp.hp.com

Connected to ftp.hpgtm.nsatc.net.

220 g6u0651.atlanta.hp.com FTP server (hp.com version whp02s_p1) ready.

User (ftp.hpgtm.nsatc.net:(none)): anonymous

331 Guest login ok, send your complete e-mail address as password.

Password:

230 Guest login ok, access restrictions apply.

ftp> quote PASV

227 Entering Passive Mode (15,193,112,141,160,114)

ftp> dir

200 PORT command successful.

425 Can't build data connection: Connection timed out.

A few other questions.

1. I see that Cisco says they don't support third party FTP. What exactly does that mean?

2. They also say that the data connection will not open if the session is not authenticated. Does anonymous count as being authenticated?

Thanks in advance for any ideas!!

Paul.

sokakkar · ‎09-11-2013

Hi Paul,

To check if CBAC is dropping it. Enable logs on router:

Ip inspect log drop-pkt

logg buffered 7

logg enable

Try FTP and get 'show logg' from CLI and paste it here.

Also, please paste 'show run int xx', where xx is the hardware id for internal interface where client is connected.

Thanks.

-

Regards,

Sourav Kakkar

ppalmerjr · ‎09-13-2013

Thanks for the reply but I have since learned that I should not neet CBAC for passive FTP connections. I have also learned that through windows ftp.exe you cannot do passive FTP, even though the quote PASV seems to put it in that mode. Evidently, it only tells the server to go passive but windows doesn't support PASV....interesting!

I did end up downloading a FTP client that does support PASV mode but am still unable to get it to work through my PAT router. I think the key here is it's a PAT router and not a firewall/ASA. I've tested PAT through a stateful firewall and it works fine....no issue at all. Very interesting stuff here and it is fustrating the heck out of me as to why I can't get this to work!!! Any help appreciated.

Thanks in advance!

sokakkar · ‎09-13-2013

Hi,

Based on the information which you provided earlier, data connection from client to server is failing. And that is the reason I requested for above outputs, these can help us understand the point of failure.

In addition, can you run wireshark on host and post the captures as well?

-

Regards,

Sourav Kakkar

ppalmerjr · ‎09-26-2013

I attached a capture from the client perspective. Please let me know what you think but fromm what I can tell is that I'm not getting a response from the server for some reason....I don't think this really indicates what is the problem.