Re: CBAC with Passive FTP

FIREWALL#sh ip inspect sessions
Established Sessions
 Session 649A5C80 (150.50.100.100:11626)=>(10.0.0.254:4300) ftp-data
SIS_OPEN
 Session 649A5780 (150.50.100.100:13214)=>(10.0.0.254:21) ftp SIS_OPEN
FIREWALL#

On Fri, Nov 6, 2009 at 2:35 AM, Donald Virgil <d.virgil88_at_gmail.com> wrote:

>
> Hey could you send me a "show ip inspect interface" from this device? This
> CBAC config dosent look right.
>
>
>
>
>
> On Thu, Nov 5, 2009 at 3:54 PM, Divin Mathew John <divinjohn_at_gmail.com>wrote:
>
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.0
>> !
>> interface Ethernet0/0
>> ip address 10.0.0.1 255.255.255.0
>> ip access-group OUTSIDE in
>> half-duplex
>> !
>> interface Ethernet0/1
>> ip address 150.50.100.1 255.255.255.0
>> ip inspect XYZ in
>> half-duplex
>> !
>> interface Ethernet0/2
>> no ip address
>> shutdown
>> half-duplex
>> !
>> interface Ethernet0/3
>> no ip address
>> shutdown
>> half-duplex
>> !
>> router ospf 1
>> log-adjacency-changes
>> network 0.0.0.0 255.255.255.255 area 0
>> default-information originate always
>> !
>> ip http server
>> no ip http secure-server
>> !
>> !
>> !
>> !
>> ip access-list extended OUTSIDE
>> permit tcp any any eq ftp
>> deny ip any any log
>> !
>> !
>>
>>
>> On Fri, Nov 6, 2009 at 2:00 AM, Donald Virgil <d.virgil88_at_gmail.com>wrote:
>>
>>> Hey, it works if i remove the OUT ACL or put in an allow for TCP GT 1023
>>> but
>>> that defeats the purpose of the OUT ACL.
>>>
>>> I want to limit what can be accessed from the "inside" using the OUT
>>> ACL.
>>> If I permit GT 1023 wouldnt that leave the connection open to P2P apps
>>> and
>>> other MalWare?
>>>
>>> Don
>>>
>>>
>>>
>>>
>>> On Thu, Nov 5, 2009 at 3:21 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>>>
>>> > Hi Don,
>>> >
>>> > Passive FTP initiates both connections (CMD and DATA) from the client.
>>> So
>>> > the CMD is going by default to port tcp/21 and DATA port is sent by the
>>> > server to the client and then the client connects to that port. As you
>>> can
>>> > see in your OUT ACL there is no connection allowed to that DATA port
>>> (which
>>> > is usually some high port). Only ftp (tcp/21) and ftp-data (tcp/20) are
>>> > allowed.
>>> > So first try to disable outbound ACL and see what happen. If it works,
>>> > you'll need to add some ACE to allow that traffic to go out.
>>> >
>>> > HTH,
>>> > --
>>> > Piotr Matusiak
>>> > CCIE #19860 (R&S, SEC)
>>> > Technical Instructor
>>> > MicronicsTraining.com
>>> >
>>> > If you can't explain it simply, you don't understand it well enough -
>>> > Albert Einstein
>>> >
>>> >
>>> > 2009/11/5 Donald Virgil <d.virgil88_at_gmail.com>
>>> >
>>> >> Has anyone been able to apply a CBAC config that will allow PASSIVE
>>> FTP
>>> >> through? I've pasted my config below, active FTP works fine but
>>> passive
>>> >> fails to transfer. Any help is much appericiated.
>>> >>
>>> >> ip inspect name FW tcp
>>> >> ip inspect name FW udp
>>> >> ip inspect name FW icmp
>>> >> ip inspect name FW ftp
>>> >>
>>> >> interface GigabitEthernet0/1
>>> >> mtu 1492
>>> >> ip address 1xx.1xx.9x.1xx 255.255.255.252
>>> >> ip access-group IN in
>>> >> ip access-group OUT out
>>> >> no ip redirects
>>> >> no ip unreachables
>>> >> no ip proxy-arp
>>> >> ip nat outside
>>> >> ip inspect FW out
>>> >> ntp disable
>>> >> no cdp enable
>>> >> no mop enabled
>>> >>
>>> >>
>>> >> interface GigabitEthernet0/0
>>> >> ip address 10.10.10.2 255.255.255.248
>>> >> no ip redirects
>>> >> no ip unreachables
>>> >> ip nat inside
>>> >>
>>> >> ip access-list extended OUT
>>> >> permit esp host 1xx.1xx.9x.1xx any
>>> >> permit tcp host 1xx.1xx.9x.1xx any eq ftp
>>> >> permit tcp host 1xx.1xx.9x.1xx any eq ftp-data
>>> >> permit tcp host 1xx.1xx.9x.1xx any eq www
>>> >> permit tcp host 1xx.1xx.9x.1xx any eq 443
>>> >> permit tcp host 1xx.1xx.9x.1xx any eq 22
>>> >> permit udp host 1xx.1xx.9x.1xx any eq domain
>>> >> permit udp host 1xx.1xx.9x.1xx any eq isakmp
>>> >> permit udp host 1xx.1xx.9x.1xx any eq non500-isakmp
>>> >> permit icmp host 1xx.1xx.9x.1xx any echo
>>> >> permit icmp host 1xx.1xx.9x.1xx any echo-reply
>>> >> permit icmp host 1xx.1xx.9x.1xx any time-exceeded
>>> >> permit icmp host 1xx.1xx.9x.1xx any unreachable
>>> >> permit icmp host 1xx.1xx.9x.1xx any ttl-exceeded
>>> >> deny ip 127.0.0.0 0.255.255.255 any
>>> >> deny ip 10.0.0.0 0.255.255.255 any
>>> >> deny ip 172.16.0.0 0.15.255.255 any
>>> >> deny ip 192.168.0.0 0.0.255.255 any
>>> >> deny ip host 255.255.255.255 any
>>> >> deny ip host 0.0.0.0 any
>>> >> deny ip any any log
>>> >>
>>> >>
>>> >> ip access-list extended IN
>>> >> permit tcp any host 1xx.1xx.9x.1xx eq 22 log
>>> >> permit esp any host 1xx.1xx.9x.1xx
>>> >> permit gre any host 1xx.1xx.9x.1xx
>>> >> permit tcp any eq ftp-data host 1xx.1xx.9x.1xx log-input
>>> >> permit udp any host 1xx.1xx.9x.1xx eq non500-isakmp
>>> >> permit udp any host 1xx.1xx.9x.1xx eq isakmp
>>> >> permit icmp any host 1xx.1xx.9x.1xx echo
>>> >> permit icmp any host 1xx.1xx.9x.1xx echo-reply
>>> >> permit icmp any host 1xx.1xx.9x.1xx time-exceeded
>>> >> permit icmp any host 1xx.1xx.9x.1xx unreachable
>>> >> permit icmp any host 1xx.1xx.9x.1xx ttl-exceeded
>>> >> deny ip any any log
>>> >>
>>> >>
>>> >>
>>> >> Thanks,
>>> >> Don
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Sent from Karnataka, India
>> Peter De Vries <http://www.quotationspage.com/quote/81.html> - "It is
>> the final proof of God's omnipotence that he need not exist in order to save
>> us."
>
>
>

-- 
Sent from Bangalore, KA, India
Benjamin H. Brewster <http://www.quotationspage.com/quote/23687.html>  - "A
lawyer starts life giving $500 worth of law for $5 and ends giving $5 worth
for $500."
Blogs and organic groups at http://www.ccie.net