Hi Don,
Passive FTP initiates both connections (CMD and DATA) from the client. So
the CMD is going by default to port tcp/21 and DATA port is sent by the
server to the client and then the client connects to that port. As you can
see in your OUT ACL there is no connection allowed to that DATA port (which
is usually some high port). Only ftp (tcp/21) and ftp-data (tcp/20) are
allowed.
So first try to disable outbound ACL and see what happen. If it works,
you'll need to add some ACE to allow that traffic to go out.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2009/11/5 Donald Virgil <d.virgil88_at_gmail.com>
> Has anyone been able to apply a CBAC config that will allow PASSIVE FTP
> through? I've pasted my config below, active FTP works fine but passive
> fails to transfer. Any help is much appericiated.
>
> ip inspect name FW tcp
> ip inspect name FW udp
> ip inspect name FW icmp
> ip inspect name FW ftp
>
> interface GigabitEthernet0/1
> mtu 1492
> ip address 1xx.1xx.9x.1xx 255.255.255.252
> ip access-group IN in
> ip access-group OUT out
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect FW out
> ntp disable
> no cdp enable
> no mop enabled
>
>
> interface GigabitEthernet0/0
> ip address 10.10.10.2 255.255.255.248
> no ip redirects
> no ip unreachables
> ip nat inside
>
> ip access-list extended OUT
> permit esp host 1xx.1xx.9x.1xx any
> permit tcp host 1xx.1xx.9x.1xx any eq ftp
> permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
> permit tcp host 1xx.1xx.9x.1xx any eq www
> permit tcp host 1xx.1xx.9x.1xx any eq 443
> permit tcp host 1xx.1xx.9x.1xx any eq 22
> permit udp host 1xx.1xx.9x.1xx any eq domain
> permit udp host 1xx.1xx.9x.1xx any eq isakmp
> permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
> permit icmp host 1xx.1xx.9x.1xx any echo
> permit icmp host 1xx.1xx.9x.1xx any echo-reply
> permit icmp host 1xx.1xx.9x.1xx any time-exceeded
> permit icmp host 1xx.1xx.9x.1xx any unreachable
> permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip host 255.255.255.255 any
> deny ip host 0.0.0.0 any
> deny ip any any log
>
>
> ip access-list extended IN
> permit tcp any host 1xx.1xx.9x.1xx eq 22 log
> permit esp any host 1xx.1xx.9x.1xx
> permit gre any host 1xx.1xx.9x.1xx
> permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
> permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
> permit udp any host 1xx.1xx.9x.1xx eq isakmp
> permit icmp any host 1xx.1xx.9x.1xx echo
> permit icmp any host 1xx.1xx.9x.1xx echo-reply
> permit icmp any host 1xx.1xx.9x.1xx time-exceeded
> permit icmp any host 1xx.1xx.9x.1xx unreachable
> permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
> deny ip any any log
>
>
>
> Thanks,
> Don
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 05 2009 - 21:21:41 ART