Hey could you send me a "show ip inspect interface" from this device? This
CBAC config dosent look right.
On Thu, Nov 5, 2009 at 3:54 PM, Divin Mathew John <divinjohn_at_gmail.com>wrote:
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> !
> interface Ethernet0/0
> ip address 10.0.0.1 255.255.255.0
> ip access-group OUTSIDE in
> half-duplex
> !
> interface Ethernet0/1
> ip address 150.50.100.1 255.255.255.0
> ip inspect XYZ in
> half-duplex
> !
> interface Ethernet0/2
> no ip address
> shutdown
> half-duplex
> !
> interface Ethernet0/3
> no ip address
> shutdown
> half-duplex
> !
> router ospf 1
> log-adjacency-changes
> network 0.0.0.0 255.255.255.255 area 0
> default-information originate always
> !
> ip http server
> no ip http secure-server
> !
> !
> !
> !
> ip access-list extended OUTSIDE
> permit tcp any any eq ftp
> deny ip any any log
> !
> !
>
>
> On Fri, Nov 6, 2009 at 2:00 AM, Donald Virgil <d.virgil88_at_gmail.com>wrote:
>
>> Hey, it works if i remove the OUT ACL or put in an allow for TCP GT 1023
>> but
>> that defeats the purpose of the OUT ACL.
>>
>> I want to limit what can be accessed from the "inside" using the OUT ACL.
>> If I permit GT 1023 wouldnt that leave the connection open to P2P apps and
>> other MalWare?
>>
>> Don
>>
>>
>>
>>
>> On Thu, Nov 5, 2009 at 3:21 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>>
>> > Hi Don,
>> >
>> > Passive FTP initiates both connections (CMD and DATA) from the client.
>> So
>> > the CMD is going by default to port tcp/21 and DATA port is sent by the
>> > server to the client and then the client connects to that port. As you
>> can
>> > see in your OUT ACL there is no connection allowed to that DATA port
>> (which
>> > is usually some high port). Only ftp (tcp/21) and ftp-data (tcp/20) are
>> > allowed.
>> > So first try to disable outbound ACL and see what happen. If it works,
>> > you'll need to add some ACE to allow that traffic to go out.
>> >
>> > HTH,
>> > --
>> > Piotr Matusiak
>> > CCIE #19860 (R&S, SEC)
>> > Technical Instructor
>> > MicronicsTraining.com
>> >
>> > If you can't explain it simply, you don't understand it well enough -
>> > Albert Einstein
>> >
>> >
>> > 2009/11/5 Donald Virgil <d.virgil88_at_gmail.com>
>> >
>> >> Has anyone been able to apply a CBAC config that will allow PASSIVE
>> FTP
>> >> through? I've pasted my config below, active FTP works fine but
>> passive
>> >> fails to transfer. Any help is much appericiated.
>> >>
>> >> ip inspect name FW tcp
>> >> ip inspect name FW udp
>> >> ip inspect name FW icmp
>> >> ip inspect name FW ftp
>> >>
>> >> interface GigabitEthernet0/1
>> >> mtu 1492
>> >> ip address 1xx.1xx.9x.1xx 255.255.255.252
>> >> ip access-group IN in
>> >> ip access-group OUT out
>> >> no ip redirects
>> >> no ip unreachables
>> >> no ip proxy-arp
>> >> ip nat outside
>> >> ip inspect FW out
>> >> ntp disable
>> >> no cdp enable
>> >> no mop enabled
>> >>
>> >>
>> >> interface GigabitEthernet0/0
>> >> ip address 10.10.10.2 255.255.255.248
>> >> no ip redirects
>> >> no ip unreachables
>> >> ip nat inside
>> >>
>> >> ip access-list extended OUT
>> >> permit esp host 1xx.1xx.9x.1xx any
>> >> permit tcp host 1xx.1xx.9x.1xx any eq ftp
>> >> permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
>> >> permit tcp host 1xx.1xx.9x.1xx any eq www
>> >> permit tcp host 1xx.1xx.9x.1xx any eq 443
>> >> permit tcp host 1xx.1xx.9x.1xx any eq 22
>> >> permit udp host 1xx.1xx.9x.1xx any eq domain
>> >> permit udp host 1xx.1xx.9x.1xx any eq isakmp
>> >> permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
>> >> permit icmp host 1xx.1xx.9x.1xx any echo
>> >> permit icmp host 1xx.1xx.9x.1xx any echo-reply
>> >> permit icmp host 1xx.1xx.9x.1xx any time-exceeded
>> >> permit icmp host 1xx.1xx.9x.1xx any unreachable
>> >> permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
>> >> deny ip 127.0.0.0 0.255.255.255 any
>> >> deny ip 10.0.0.0 0.255.255.255 any
>> >> deny ip 172.16.0.0 0.15.255.255 any
>> >> deny ip 192.168.0.0 0.0.255.255 any
>> >> deny ip host 255.255.255.255 any
>> >> deny ip host 0.0.0.0 any
>> >> deny ip any any log
>> >>
>> >>
>> >> ip access-list extended IN
>> >> permit tcp any host 1xx.1xx.9x.1xx eq 22 log
>> >> permit esp any host 1xx.1xx.9x.1xx
>> >> permit gre any host 1xx.1xx.9x.1xx
>> >> permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
>> >> permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
>> >> permit udp any host 1xx.1xx.9x.1xx eq isakmp
>> >> permit icmp any host 1xx.1xx.9x.1xx echo
>> >> permit icmp any host 1xx.1xx.9x.1xx echo-reply
>> >> permit icmp any host 1xx.1xx.9x.1xx time-exceeded
>> >> permit icmp any host 1xx.1xx.9x.1xx unreachable
>> >> permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
>> >> deny ip any any log
>> >>
>> >>
>> >>
>> >> Thanks,
>> >> Don
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
>
> Sent from Karnataka, India
> Peter De Vries <http://www.quotationspage.com/quote/81.html> - "It is the
> final proof of God's omnipotence that he need not exist in order to save
> us."
Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 05 2009 - 16:05:07 ART
This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART