Re: ZBFW-FTP issue from Radioactive Frog on 2011-04-09 (Ccielab archives 04/2011)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Sat, 9 Apr 2011 22:31:41 +1000

Hi Sairam,
Most likely you tested ZFS on 12.4 in your lab and then went to a site which
had ios v 15.
Obviously, i had similar issue with IOS 15 and it was an issue with the
asymetric routing related to the site specific.
check that out,
other thing that i can think of is you should turn the debug on and see what
is actually happening with ios v15.
If you don't know this command , you should not be configuring the ZFS (just
a joke but it's a lifesaver).

ip inspect log drop-pkt

also check pam table entry in v15

frog

On Sat, Apr 9, 2011 at 5:34 PM, Sairam <seekumarin_at_gmail.com> wrote:

> Hi Friends,
>
> I like to mention here an interesting fact. I have a FTP Server on one side
> of ZBFW and FTP Client on other interface. I this using experimented in IOS
> Version 15.0(1)M3. I was able to login to FTP server from Client PC using
> cmd prompt (C:> ftp 172.16.1.2), But not able to list the directories.Then
> i
> realised it is FTP control channel issue (FTP Port 20).
>
> I tested this same scenario using IOS version 12.4(15)T5 & found that it is
> working with the same configuration i used in IOS 15.0. The configuration
> is
> below
>
> class-map type inspect match-any CLIENT-SRV
> match protocol icmp
> match protocol ftp
> class-map type inspect match-all CLIENT-SRV-TRAFFIC
> match access-group name CLIENT-SRV
> match class-map CLIENT-SRV
> !
> policy-map type inspect CLIENT-SRV-TRAFFIC
> class type inspect CLIENT-SRV-TRAFFIC
> inspect class class-default
> drop log
> !
> zone security CLIENT-SRV
> zone security SRV-CLIENT
> zone-pair security CLIENT-SRV source CLIENT-SRV destination SRV-CLIENT
> service-policy type inspect CLIENT-SRV-TRAFFIC
> zone-pair security SRV-CLIENT source SRV-CLIENT destination CLIENT-SRV
> service-policy type inspect SRV-CLIENT
>
>
> interface FastEthernet0/1
> description #### FTP-CLIENT #####
> ip address 192.168.1.5 255.255.255.0
> zone-member security CLIENT-SRV
> !
> interface FastEthernet0/0
> description #### FTP SERVER ###
> ip address 172.16.1.1 255.255.255.0
> zone-member security SRV-CLIENT
>
> It is working with IOS 12.4 and not working in IOS 15.0(1)
>
> ANY CLUES SIR???
>
> regards,
>
> sairam
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Apr 09 2011 - 22:31:41 ART

This archive was generated by hypermail 2.2.0 : Sun May 01 2011 - 09:00:29 ART