on the inbound acl applied on the interface
add permit any any eq ftp [control connection]
and just inspect shud work!
On Fri, Nov 6, 2009 at 2:00 AM, Donald Virgil <d.virgil88_at_gmail.com> wrote:
> Hey, it works if i remove the OUT ACL or put in an allow for TCP GT 1023
> but
> that defeats the purpose of the OUT ACL.
>
> I want to limit what can be accessed from the "inside" using the OUT ACL.
> If I permit GT 1023 wouldnt that leave the connection open to P2P apps and
> other MalWare?
>
> Don
>
>
>
>
> On Thu, Nov 5, 2009 at 3:21 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
> > Hi Don,
> >
> > Passive FTP initiates both connections (CMD and DATA) from the client. So
> > the CMD is going by default to port tcp/21 and DATA port is sent by the
> > server to the client and then the client connects to that port. As you
> can
> > see in your OUT ACL there is no connection allowed to that DATA port
> (which
> > is usually some high port). Only ftp (tcp/21) and ftp-data (tcp/20) are
> > allowed.
> > So first try to disable outbound ACL and see what happen. If it works,
> > you'll need to add some ACE to allow that traffic to go out.
> >
> > HTH,
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, SEC)
> > Technical Instructor
> > MicronicsTraining.com
> >
> > If you can't explain it simply, you don't understand it well enough -
> > Albert Einstein
> >
> >
> > 2009/11/5 Donald Virgil <d.virgil88_at_gmail.com>
> >
> >> Has anyone been able to apply a CBAC config that will allow PASSIVE FTP
> >> through? I've pasted my config below, active FTP works fine but passive
> >> fails to transfer. Any help is much appericiated.
> >>
> >> ip inspect name FW tcp
> >> ip inspect name FW udp
> >> ip inspect name FW icmp
> >> ip inspect name FW ftp
> >>
> >> interface GigabitEthernet0/1
> >> mtu 1492
> >> ip address 1xx.1xx.9x.1xx 255.255.255.252
> >> ip access-group IN in
> >> ip access-group OUT out
> >> no ip redirects
> >> no ip unreachables
> >> no ip proxy-arp
> >> ip nat outside
> >> ip inspect FW out
> >> ntp disable
> >> no cdp enable
> >> no mop enabled
> >>
> >>
> >> interface GigabitEthernet0/0
> >> ip address 10.10.10.2 255.255.255.248
> >> no ip redirects
> >> no ip unreachables
> >> ip nat inside
> >>
> >> ip access-list extended OUT
> >> permit esp host 1xx.1xx.9x.1xx any
> >> permit tcp host 1xx.1xx.9x.1xx any eq ftp
> >> permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
> >> permit tcp host 1xx.1xx.9x.1xx any eq www
> >> permit tcp host 1xx.1xx.9x.1xx any eq 443
> >> permit tcp host 1xx.1xx.9x.1xx any eq 22
> >> permit udp host 1xx.1xx.9x.1xx any eq domain
> >> permit udp host 1xx.1xx.9x.1xx any eq isakmp
> >> permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
> >> permit icmp host 1xx.1xx.9x.1xx any echo
> >> permit icmp host 1xx.1xx.9x.1xx any echo-reply
> >> permit icmp host 1xx.1xx.9x.1xx any time-exceeded
> >> permit icmp host 1xx.1xx.9x.1xx any unreachable
> >> permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
> >> deny ip 127.0.0.0 0.255.255.255 any
> >> deny ip 10.0.0.0 0.255.255.255 any
> >> deny ip 172.16.0.0 0.15.255.255 any
> >> deny ip 192.168.0.0 0.0.255.255 any
> >> deny ip host 255.255.255.255 any
> >> deny ip host 0.0.0.0 any
> >> deny ip any any log
> >>
> >>
> >> ip access-list extended IN
> >> permit tcp any host 1xx.1xx.9x.1xx eq 22 log
> >> permit esp any host 1xx.1xx.9x.1xx
> >> permit gre any host 1xx.1xx.9x.1xx
> >> permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
> >> permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
> >> permit udp any host 1xx.1xx.9x.1xx eq isakmp
> >> permit icmp any host 1xx.1xx.9x.1xx echo
> >> permit icmp any host 1xx.1xx.9x.1xx echo-reply
> >> permit icmp any host 1xx.1xx.9x.1xx time-exceeded
> >> permit icmp any host 1xx.1xx.9x.1xx unreachable
> >> permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
> >> deny ip any any log
> >>
> >>
> >>
> >> Thanks,
> >> Don
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Sent from Karnataka, India Robert Pirsig <http://www.quotationspage.com/quote/38592.html> - "There is an evil tendency underlying all our technology - the tendency to do what is reasona... Blogs and organic groups at http://www.ccie.netReceived on Fri Nov 06 2009 - 02:10:51 ART
This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART