From: Narbik Kocharians (narbikk@gmail.com)
Date: Fri Jun 23 2006 - 01:06:48 ART
Zeng,
I think this conversation is on regular FTP and Passive FTP, based on what
you are thinking, then what if the Active FTP was on the Inside network, if
Active FTP servers these days use different ports, then what port will you
be opening on the PIX or your RACL? It has to be a port number, right? What
ever the port number, the concept is the same, the location of the server
and the client is very important.
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)
On 6/22/06, Zeng, Xinhui <admin@ppmm.us> wrote:
>
> for the active part,
> server nowadays seldom use port 20 in active mode to connect back to
> client.
>
>
> for the passive part,
> server side listens a specific port(#cport), client side initiate
> control connection by connecting to server:#cport with a random high
> port(#highport). auth/security negotiation works in control mode.
>
> in case data connection is requried(ls,retr,put...), server tells
> client the data port(#dport) to connect to. depending on your os and
> client, at this time client usually uses next available high
> port(#highport+1) to connect #dport or simply uses a random high port.
> theorically client can use whatever ports available but most of the
> time u dont want to use port <1024. random port or not, +1 port or
> not, doesn't really matters. the point is as long as client has an
> available port to use to connect to server.
>
> EXAMPLE: lftp passive mode to ftp.debian.org, data connection part.
> Note: port calculation: 196*256+35=50211. that's why nat doesnt work
> well with ftp. router will have to examine L7 and extract this port
> information. normally client behind nat router can only connect to
> passive mode ftp server.
>
> ---> CWD /debian-archive/pool/main
> <--- 250 Directory successfully changed.
> ---> PASV
> <--- 227 Entering Passive Mode (128,101,240,212,196,35)
> ---- Connecting data socket to (128.101.240.212) port 50211
> ---- Data connection established
> (omitted)
> copy: put confirmed store
> copy: get is finished - all done
> ---- Closing idle connection
>
> TCPDUMP: look at the port 50211
> 22:09:25.138660 IP a.b.c.d.38574 > debian-mirror.mirror.umn.edu.50211:
> S 3960079763:3960079763(0) win 5840 <mss 1460,sackOK,timestamp 3766684
> 0,nop,wscale 6>
>
>
>
> On 6/22/06, Narbik Kocharians <narbikk@gmail.com> wrote:
> > It depends where the server is located. But remember the following
> before
> > making a decision:
> >
> >
> >
> > Active FTP:
> >
> > Client starts the FTP connection using a high port as it's source, lets
> say
> > 2000 and connects to the server's port 21, when the client needs to get
> data
> > from the FTP server, it tells the server to use port 2001 (based on the
> RFC
> > 2000 +1) and *the server initiates a connection* using port 20 as it's
> > source to the clients port 2001.
> >
> >
> >
> > Passive FTP:
> >
> > Client starts the connection using a high port as it's source, lets say
> 2000
> > and connects to the server's port 21, when the client needs to get data
> from
> > the FTP server, the FTP server tells the client the high port that the
> > client should use for the data transfer, the client adds one to it's
> > existing high port (based on RFC 2000+1) and *the client initiates a
> > connection* to the server's port 20.
> >
> >
> >
> > Now if you go through the steps you will see that the location of the
> client
> > and server is very important.
> >
> > Let's say you have configured RACL and Active (Regular) FTP:
> >
> > Client is in on the Inside and the server is on the Outside network:
> >
> > Remember with RACL, all inbound connections are denied, therefore when
> the
> > client initiates the connection, the return traffic for the first
> connection
> > is allowed and this is from client's port 2000 to the server's port 21.
> But
> > when the server wants to initiate the second connection to client's port
> > 2001 using it's port 20, the traffic is denied, because the RACL that's
> > configured on the router will deny new connections from the Outside
> networks
> > to Inside networks.
> >
> > If the location of the client and the server is reversed (Client is on
> the
> > Outside and the server is on the Inside), the client won't be able to
> > initiate the call to server's port 21.
> >
> >
> >
> > Let's say you have configured RACL and Passive FTP:
> >
> > Client is in on the Inside and the server is on the Outside network:
> >
> >
> >
> > Since the client initiates both connections, you won't have any
> problems,
> > because for every connection that the client initiates from Inside
> network
> > to the Outside network, RACL will create the return traffic.
> >
> > But if the roles are reversed, meaning that the client is on the Outside
> and
> > the server is on Inside, the client's call to port 21 will be denied.
> >
> > I hope I have not confused you guys.
> >
> >
> >
> >
> >
> >
> >
> > Narbik Kocharians
> >
> > CCIE# 12410 (R&S, SP, Security)
> >
> > CCSI# 30832
> >
> > Network Learning, Inc. (CCIE class Instructor)
> >
> > www.ccbootcamp.com (CCIE Training)
> >
> >
> > On 6/22/06, Petr Lapukhov <petr@internetworkexpert.com> wrote:
> > >
> > > Reflexive ACLs work nice with passive FTP, but they are not of a big
> > > help with active mode. .
> > >
> > > The best thing to track active mode connections is CBAC feature :)
> > >
> > > --
> > > Petr Lapukhov, CCIE #16379
> > > petr@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Outside US: 775-826-4344
> > >
> > > 2006/6/22, Navin MS <navin_ms07@yahoo.com>:
> > > >
> > > > Group,
> > > >
> > > > Is it possible that we can use a reflexive ACL for this ?
> > > >
> > > > IMP, the inbound and outbound traffic is just the mirror of each
> other.
> > > > So just "reflect" in the outbound ACL and do an "evaluate" in the
> > > inbound
> > > > ?
> > > >
> > > > Does that simplify this task ?
> > > >
> > > > Thanks,
> > > > Naveen.
> > > >
> > > >
> > > >
> > > > --- Chris Lewis <chrlewiscsco@gmail.com> wrote:
> > > >
> > > > > Ignore my comment on this, I need to clean my glasses so I can
> read
> > > the
> > > > > diagram properly.
> > > > >
> > > > > Chris
> > > > >
> > > > >
> > > > > On 6/22/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com>
> > > wrote:
> > > > > >
> > > > > > Chris,
> > > > > >
> > > > > > Sorry but can you explain me how exactly port 20 is used in the
> > > > PASSIVE
> > > > > > mode of ftp. Maybe I don't understand something ?
> > > > > >
> > > > > >
> > > > > > According to the access lists matching both types of ftp it
> should
> > > be
> > > > > > something like this:
> > > > > >
> > > > > > Active
> > > > > >
> > > > > > Access-list 101 permit tcp host mypc host SRV eq 21
> > > > > > Access-list 101 permit tcp host mypc host SRV eq 20
> > > > > >
> > > > > > Access-list 102 permit tcp host SRV eq 21 host mypc
> > > > > > Access-list 102 permit tcp host SRV eq 20 host mypc
> > > > > >
> > > > > >
> > > > > > Passive
> > > > > >
> > > > > > Access-list 101 permit tcp host mypc host SRV eq 21
> > > > > > Access-list 101 permit tcp host mypc host SRV gt 1023
> > > > > >
> > > > > > Access-list 102 permit tcp host SRV eq 21 host mypc
> > > > > > Access-list 102 permit tcp host SRV gt 1023 host mypc
> > > > > >
> > > > > >
> > > > > >
> > > > > > Best,
> > > > > > Nick
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Chris Lewis [mailto: chrlewiscsco@gmail.com]
> > > > > > Sent: Thursday, June 22, 2006 4:00 AM
> > > > > > To: Plank, Jason
> > > > > > Cc: Ken; Cisco certification
> > > > > > Subject: Re: FTP connection type
> > > > > >
> > > > > > Well, both passive and active use ports 20 and 21.
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> http://www.cisco.com/web/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html
> > > > > >
> > > > > >
> > > > > > Provides a full description.
> > > > > >
> > > > > > Chris
> > > > > >
> > > > > >
> > > > > > On 6/21/06, Plank, Jason <JPlank@concordefs.com> wrote:
> > > > > > >
> > > > > > > It means ACTIVE FTP, which uses TCP ports 20/21.
> > > > > > >
> > > > > > > -------------------
> > > > > > > J. Marshall Plank
> > > > > > > Network Engineer
> > > > > > > 101 Bellevue Parkway
> > > > > > > Wilmington, DE 19809
> > > > > > > E-mail: JPlank@concordefs.com
> > > > > > > Phone: 302-793-5913
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> > > > Behalf Of
> > > > > > > Ken
> > > > > > > Sent: Wednesday, June 21, 2006 6:11 PM
> > > > > > > To: Cisco certification
> > > > > > > Subject: FTP connection type
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > When there is a statement, "suppose that this FTP server does
> not
> > > > > > > support PASV FTP connection", what kind of difference does it
> make
> > > > > > > in the ACL configuration?
> > > > > > >
> > > > > > > I am referring to the QoS question 8.3 in Lab 2 of IE work
> book.
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > >
> > > >
> _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > > -----------------------------------------
> > > > > > > The information in this message may be proprietary and/or
> > > > > > > confidential, and protected from disclosure. If the reader of
> > > this
> > > > > > > message is not the intended recipient, or an employee or agent
> > > > > > > responsible for delivering this message to the intended
> recipient,
> > > > > > > you are hereby notified that any dissemination, distribution
> or
> > > > > > > copying of this communication is strictly prohibited. If you
> have
> > > > > > > received this communication in error, please notify First Data
> > > > > > > immediately by replying to this message and deleting it from
> your
> > > > > > > computer.
> > > > > > >
> > > > > > >
> > > >
> _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > > >
> _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > >
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > > http://mail.yahoo.com
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART