Hey, it works if i remove the OUT ACL or put in an allow for TCP GT 1023 but
that defeats the purpose of the OUT ACL.
I want to limit what can be accessed from the "inside" using the OUT ACL.
If I permit GT 1023 wouldnt that leave the connection open to P2P apps and
other MalWare?
Don
On Thu, Nov 5, 2009 at 3:21 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
> Hi Don,
>
> Passive FTP initiates both connections (CMD and DATA) from the client. So
> the CMD is going by default to port tcp/21 and DATA port is sent by the
> server to the client and then the client connects to that port. As you can
> see in your OUT ACL there is no connection allowed to that DATA port (which
> is usually some high port). Only ftp (tcp/21) and ftp-data (tcp/20) are
> allowed.
> So first try to disable outbound ACL and see what happen. If it works,
> you'll need to add some ACE to allow that traffic to go out.
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
> Technical Instructor
> MicronicsTraining.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2009/11/5 Donald Virgil <d.virgil88_at_gmail.com>
>
>> Has anyone been able to apply a CBAC config that will allow PASSIVE FTP
>> through? I've pasted my config below, active FTP works fine but passive
>> fails to transfer. Any help is much appericiated.
>>
>> ip inspect name FW tcp
>> ip inspect name FW udp
>> ip inspect name FW icmp
>> ip inspect name FW ftp
>>
>> interface GigabitEthernet0/1
>> mtu 1492
>> ip address 1xx.1xx.9x.1xx 255.255.255.252
>> ip access-group IN in
>> ip access-group OUT out
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> ip nat outside
>> ip inspect FW out
>> ntp disable
>> no cdp enable
>> no mop enabled
>>
>>
>> interface GigabitEthernet0/0
>> ip address 10.10.10.2 255.255.255.248
>> no ip redirects
>> no ip unreachables
>> ip nat inside
>>
>> ip access-list extended OUT
>> permit esp host 1xx.1xx.9x.1xx any
>> permit tcp host 1xx.1xx.9x.1xx any eq ftp
>> permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
>> permit tcp host 1xx.1xx.9x.1xx any eq www
>> permit tcp host 1xx.1xx.9x.1xx any eq 443
>> permit tcp host 1xx.1xx.9x.1xx any eq 22
>> permit udp host 1xx.1xx.9x.1xx any eq domain
>> permit udp host 1xx.1xx.9x.1xx any eq isakmp
>> permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
>> permit icmp host 1xx.1xx.9x.1xx any echo
>> permit icmp host 1xx.1xx.9x.1xx any echo-reply
>> permit icmp host 1xx.1xx.9x.1xx any time-exceeded
>> permit icmp host 1xx.1xx.9x.1xx any unreachable
>> permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
>> deny ip 127.0.0.0 0.255.255.255 any
>> deny ip 10.0.0.0 0.255.255.255 any
>> deny ip 172.16.0.0 0.15.255.255 any
>> deny ip 192.168.0.0 0.0.255.255 any
>> deny ip host 255.255.255.255 any
>> deny ip host 0.0.0.0 any
>> deny ip any any log
>>
>>
>> ip access-list extended IN
>> permit tcp any host 1xx.1xx.9x.1xx eq 22 log
>> permit esp any host 1xx.1xx.9x.1xx
>> permit gre any host 1xx.1xx.9x.1xx
>> permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
>> permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
>> permit udp any host 1xx.1xx.9x.1xx eq isakmp
>> permit icmp any host 1xx.1xx.9x.1xx echo
>> permit icmp any host 1xx.1xx.9x.1xx echo-reply
>> permit icmp any host 1xx.1xx.9x.1xx time-exceeded
>> permit icmp any host 1xx.1xx.9x.1xx unreachable
>> permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
>> deny ip any any log
>>
>>
>>
>> Thanks,
>> Don
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 05 2009 - 15:30:04 ART