CBAC with Passive FTP from Donald Virgil on 2009-11-05 (Ccielab archives 11/2009)

From: Donald Virgil <d.virgil88_at_gmail.com>
Date: Thu, 5 Nov 2009 15:09:57 -0500

Has anyone been able to apply a CBAC config that will allow PASSIVE FTP
through? I've pasted my config below, active FTP works fine but passive
fails to transfer. Any help is much appericiated.

ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW ftp

interface GigabitEthernet0/1
mtu 1492
ip address 1xx.1xx.9x.1xx 255.255.255.252
ip access-group IN in
ip access-group OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect FW out
ntp disable
no cdp enable
no mop enabled

interface GigabitEthernet0/0
ip address 10.10.10.2 255.255.255.248
no ip redirects
no ip unreachables
ip nat inside

ip access-list extended OUT
permit esp host 1xx.1xx.9x.1xx any
permit tcp host 1xx.1xx.9x.1xx any eq ftp
permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
permit tcp host 1xx.1xx.9x.1xx any eq www
permit tcp host 1xx.1xx.9x.1xx any eq 443
permit tcp host 1xx.1xx.9x.1xx any eq 22
permit udp host 1xx.1xx.9x.1xx any eq domain
permit udp host 1xx.1xx.9x.1xx any eq isakmp
permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
permit icmp host 1xx.1xx.9x.1xx any echo
permit icmp host 1xx.1xx.9x.1xx any echo-reply
permit icmp host 1xx.1xx.9x.1xx any time-exceeded
permit icmp host 1xx.1xx.9x.1xx any unreachable
permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log

ip access-list extended IN
permit tcp any host 1xx.1xx.9x.1xx eq 22 log
permit esp any host 1xx.1xx.9x.1xx
permit gre any host 1xx.1xx.9x.1xx
permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
permit udp any host 1xx.1xx.9x.1xx eq isakmp
permit icmp any host 1xx.1xx.9x.1xx echo
permit icmp any host 1xx.1xx.9x.1xx echo-reply
permit icmp any host 1xx.1xx.9x.1xx time-exceeded
permit icmp any host 1xx.1xx.9x.1xx unreachable
permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
deny ip any any log

Thanks,
Don

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 05 2009 - 15:09:57 ART

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART