ACL problems

[kidem]

ok...im going to give you my config, i can not get FTP to work through ACL can some one help thanks,,,,
I dont know why its not working i have FTP ACL entries and static mappings to FTP server...

memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 7
!
no ip bootp server
ip inspect name ftp ftp timeout 30
ip audit attack action alarm reset
ip audit notify log
ip audit po max-events 100
ip cef
!
interface Ethernet0
ip address dhcp
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ftp in
half-duplex
ntp disable
no cdp enable
!
interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20
ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21
ip classless
no ip http server
ip pim bidir-enable
!
!
ip access-list extended internet-in
!
logging 10.10.10.66
access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 100 permit tcp any any range ftp-data ftp
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp-data
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any gt 1023 host 10.10.10.60 gt 1023
access-list 100 permit icmp any any net-unreachable
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any port-unreachable
access-list 100 permit icmp any any parameter-problem
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit tcp any any established
access-list 100 deny icmp any any log
access-list 100 deny 53 any any log-input
access-list 100 deny 55 any any log-input
access-list 100 deny 77 any any log-input
access-list 100 deny pim any any log-input
access-list 100 deny udp any any eq netbios-ns log-input
access-list 100 deny udp any any eq netbios-dgm log-input
access-list 100 deny udp any any eq netbios-ss log-input
access-list 100 deny tcp any any eq 139 log-input
access-list 101 permit ip any any log
access-list 101 permit tcp any any log
access-list 101 permit udp any any log
no cdp run
!
banner motd ^C
**************************
WARNING
**************************

WARNING - Authorized users only.
^C
!
line con 0
line aux 0
line vty 0 3
access-class 1 in
password 7
login
telnet refuse-negotiations
line vty 4
access-class 1 in
access-class 10 out
password 7
login
telnet refuse-negotiations
!
no scheduler allocate
end

 

[rburke]

Because you have the line "ip inspect name ftp ftp timeout 30" that means you aren't going to be able to use Active mode FTP (that uses only ports 20 and 21). It isa security risk. What you'll need to do is open up some ports for Passive mode FTP and configure your FTP server to require passive mode and a range of passive ports like 13010-13020.
Then in your static mapping you'll need to map those ports to the server's ports.
And of course allow that traffic through your ACL.

Like so for the static mapping...

ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010
ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011
ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012
ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013
ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014
ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015
ip nat inside source static tcp 10.10.10.60 13016 interface Ethernet0 13016
ip nat inside source static tcp 10.10.10.60 13017 interface Ethernet0 13017
ip nat inside source static tcp 10.10.10.60 13018 interface Ethernet0 13018
ip nat inside source static tcp 10.10.10.60 13019 interface Ethernet0 13019
ip nat inside source static tcp 10.10.10.60 13020 interface Ethernet0 13020

then add to the top of the ACL.

access-list 100 permit tcp any 10.10.10.60 range 13010 13012


Assuming your FTP server is setup with those Passive ports specified then that should do it. Just make sure your client is setup for Passive as well.

Let me know if this helps.

Burke

 

[bierhunter]

Also, since your access-list 100 is inbound on your external interface, it needs to compare packets to your public address. Anyone outside will be trying to ftp to your public address and not the private address.

This points to your private address which is not accessible from the outside.
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp-data

The 10.10.10.60 should be changed to your public address.

Or, you could change it to:
access-list 100 permit tcp any gt 1023 any eq ftp
access-list 100 permit tcp any gt 1023 any eq ftp-data

Your static mappings are only going to let ftp traffic through to the address you specified.

BierHunter
CNE, MCSE, CCNP

 

[BuckWeet]

You don't need to open up the passive ports if you have ftp inspection turned on.. It'll look at the flow and open up what it needs to. Thats part of the IP Inspect feature set.


BuckWeet

 

[kidem]

Awesome finally someone is making sense to me...im posted so many places and everything others have said hasnt work, but even though i havent done this yet i do believe you all know what your talking about...i will let you know here in a little bit....but while im here, got another problem, once i apply acl 100 in and acl 101 out my client cannot connect....any ideas am i applying this wrong?

 

[kidem]

ok..guys still not working look at the changes i made....

memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 7
!
no ip bootp server
ip inspect name ftp ftp timeout 30
ip audit attack action alarm reset
ip audit notify log
ip audit po max-events 100
ip cef
!
!
interface Ethernet0
ip address dhcp
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ftp in
half-duplex
ntp disable
no cdp enable
!
interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015
ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014
ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013
ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012
ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011
ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010
ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20
ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21
ip classless
no ip http server
ip pim bidir-enable
!
!
ip access-list extended internet-in
!
logging 10.10.10.66
access-list 1 permit 10.0.0.0 0.255.255.255 log
access-list 100 permit tcp any host 10.10.10.60 range 13010 13015
access-list 100 permit tcp any gt 1023 any eq ftp
access-list 100 permit tcp any gt 1023 any eq ftp-data
access-list 100 permit icmp any any net-unreachable
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any port-unreachable
access-list 100 permit icmp any any parameter-problem
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit tcp any any established
access-list 101 permit ip any any log
access-list 101 permit tcp any any log
access-list 101 permit udp any any log

 

[kidem]

here is a updated config i made some more changes.


ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 7
!
no ip bootp server
ip inspect name ftp ftp timeout 30
ip audit attack action alarm reset
ip audit notify log
ip audit po max-events 100
ip cef
!
interface Ethernet0
ip address dhcp
(ip access-group 100 in) None of my clients can connect to web when applied!!!!
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ftp in
half-duplex
ntp disable
no cdp enable
!
interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
ip nat inside
speed auto
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010
ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011
ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012
ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013
ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014
ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015
ip classless
no ip http server
ip pim bidir-enable
!
ip access-list extended internet-in
!
logging 10.10.10.66
access-list 1 permit 10.0.0.0 0.255.255.255 log
access-list 100 permit tcp any any established
access-list 100 permit tcp any any log
access-list 100 permit tcp any host 10.10.10.60 range 13010 13015
access-list 100 permit tcp any gt 1023 any eq ftp
access-list 100 permit tcp any gt 1023 any eq ftp-data
access-list 100 permit icmp any any net-unreachable
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any port-unreachable
access-list 100 permit icmp any any parameter-problem
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any ttl-exceeded
access-list 101 permit ip any any log
access-list 101 permit tcp any any log
access-list 101 permit udp any any log
access-list 101 permit tcp any any eq www
no cdp run
!
line con 0
line aux 0
line vty 0 3
access-class 1 in

password 7
login
telnet refuse-negotiations
line vty 4
access-class 1 in

password 7
login
telnet refuse-negotiations
!

 

[lui3]

Don't you need to include an
access-list 100 ip permit any any

at the end of ACL 100 to allow other IP packets in from the outside? Otherwise the implicit deny all statement would block other ip traffic inbound on ethernet 0.

 

[kidem]

ok..guys i got my clients to be able to get out now , i did add that line "permit ip any any log " but my FTP is still not working, i have my FTP server set for passive and for 13012 - 13015 which works internally, is there any other thing im missing in the ACL for FTP?

Thanks for everyone help!!!!!!!!!!!!!!!!!!!!!!!!

 

[lui3]

access-list 100 permit tcp any any established


try removing this statement from the access-list and see if the ftp works externally. you may have to adjust the order of the access-list to make this work.

 

[kidem]

ok..i just used these ACL entries and still no go...

access-list 100 permit tcp any host 10.10.10.60 range 13010 13015
access-list 100 permit tcp any any log
access-list 100 permit ip any any log
access-list 100 permit udp any eq domain any log

and here is my static mappings
ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010
ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011
ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012
ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013
ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014
ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015

 

[lui3]

have you tried removing the ACL entirely and then working backwards from there?

the problem may be with your nat statements.just a thought

 

[lui3]

can you telnet from the outside to one of the forwarded ports on the ethernet address. ie if the ethernet address from dhcp is 1.1.1.1 can you

issue

telnet 1.1.1.1 13015

and then get a response from the ftp server. if you get a blank terminal window without failure that is good as well. if you get a timeout that is bad.

also what are the ACL logs for acl 100 showing regarding denied packets.

show logging

 

[kidem]

Yea lui3 it failed, i will have to mess with it tommorow ,
night time, thanks for your help....

i wish someone would post there ftp acl config, that might help...thanks

 

[lui3]

so your ports are not being forwarded.

 

[kidem]

ok...here i made some changes here is the config, one question why isnt my ports forwarding?


here is entire config

Current configuration : 3170 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router1
!
logging buffered 16384 debugging
enable secret 5

memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip tcp path-mtu-discovery
!
ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 7
!
no ip bootp server
ip audit attack action alarm reset
ip audit notify log
ip audit po max-events 100
ip cef
!
!
!
!
interface Ethernet0
ip address dhcp
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
half-duplex
ntp disable
no cdp enable
!
interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip access-group 101 out
ip nat inside
speed auto
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015
ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014
ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013
ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012
ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011
ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010
ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21
ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20
ip classless
no ip http server
ip pim bidir-enable
!
!
ip access-list extended internet-in
!
logging 10.10.10.66
access-list 1 permit 10.0.0.0 0.255.255.255 log
access-list 100 permit tcp any any established log
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp-data log
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp log
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq 1023 log
access-list 100 permit icmp any any net-unreachable
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any port-unreachable
access-list 100 permit icmp any any parameter-problem
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any echo-reply
access-list 100 permit ip any any log
access-list 101 permit ip any any log
access-list 101 permit tcp any any log
access-list 101 permit udp any any log

no cdp run
!
banner motd ^C
****************************
* WARNING *
****************************
!
line con 0
line aux 0
line vty 0 3
password 7
login
telnet refuse-negotiations
line vty 4
password 7
login
telnet refuse-negotiations
!

 

[lui3]

This is still an ACL configuration issue. The problem may be with the established configuration in ACL 100.

Can you post output of several commands

show ip nat translations

show log

i am looking for dropped packets inbound on the forwarded ports.

lets also try removing the ACL 100 from both interfaces and trying the FTP. If that doesn/t work then remove 101. IF it doesnt work then then it must be the nat configuration and we can troubleshoot that. in the meantime post the outputs of the above commands.

 

[lui3]

ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21
ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20

have you tried it with the server setup to forward 21 and 20

its possible the PAT translations are overlapping with the 13000 ports for host transactions.

 

[bierhunter]

Your inbound access-list is still comparing packets to your private address:

access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp-data log
access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp log

Outside traffic cannot see your private address. If someone is FTPing to you, they will be FTPing to your public address.

BierHunter
CNE, MCSE, CCNP

 

[lui3]

true however he is still expicitly allowing any other ip traffic with the

access-list 100 permit ip any any log

this command should make any other tcp connections able to access the public ip address.

do you agree?