Re: CBAC with Passive FTP

Hi Don,

A _very_ quick pass over your config has me suspicious of your 'OUT'
ACL. Does passive-mode FTP work when you take "ip access-group OUT
out" off Gi0/1?

I don't see an ACE that permits the client >1023 to server >1023 data
channel connection.

There are probably a number of ways to make it work, while maintaining
the intention of the 'OUT' ACL, but let's take it one step at a time.

cheers,
Dale

On Fri, Nov 6, 2009 at 7:09 AM, Donald Virgil <d.virgil88_at_gmail.com> wrote:
> Has anyone been able to apply a CBAC config that will allow PASSIVE FTP
> through? I've pasted my config below, active FTP works fine but passive
> fails to transfer. Any help is much appericiated.
>
> ip inspect name FW tcp
> ip inspect name FW udp
> ip inspect name FW icmp
> ip inspect name FW ftp
>
> interface GigabitEthernet0/1
> mtu 1492
> ip address 1xx.1xx.9x.1xx 255.255.255.252
> ip access-group IN in
> ip access-group OUT out
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect FW out
> ntp disable
> no cdp enable
> no mop enabled
>
>
> interface GigabitEthernet0/0
> ip address 10.10.10.2 255.255.255.248
> no ip redirects
> no ip unreachables
> ip nat inside
>
> ip access-list extended OUT
> permit esp host 1xx.1xx.9x.1xx any
> permit tcp host 1xx.1xx.9x.1xx any eq ftp
> permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
> permit tcp host 1xx.1xx.9x.1xx any eq www
> permit tcp host 1xx.1xx.9x.1xx any eq 443
> permit tcp host 1xx.1xx.9x.1xx any eq 22
> permit udp host 1xx.1xx.9x.1xx any eq domain
> permit udp host 1xx.1xx.9x.1xx any eq isakmp
> permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
> permit icmp host 1xx.1xx.9x.1xx any echo
> permit icmp host 1xx.1xx.9x.1xx any echo-reply
> permit icmp host 1xx.1xx.9x.1xx any time-exceeded
> permit icmp host 1xx.1xx.9x.1xx any unreachable
> permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip host 255.255.255.255 any
> deny ip host 0.0.0.0 any
> deny ip any any log
>
>
> ip access-list extended IN
> permit tcp any host 1xx.1xx.9x.1xx eq 22 log
> permit esp any host 1xx.1xx.9x.1xx
> permit gre any host 1xx.1xx.9x.1xx
> permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
> permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
> permit udp any host 1xx.1xx.9x.1xx eq isakmp
> permit icmp any host 1xx.1xx.9x.1xx echo
> permit icmp any host 1xx.1xx.9x.1xx echo-reply
> permit icmp any host 1xx.1xx.9x.1xx time-exceeded
> permit icmp any host 1xx.1xx.9x.1xx unreachable
> permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
> deny ip any any log
>
>
>
> Thanks,
> Don

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 06 2009 - 07:19:52 ART