Cisco -- Active and Passive FTP through NAT

[MidnightWizard]

All the clever Cisco guys

As I am sure you all know FTP does not work too well through NAT without some form of port forwarding ( PAT )

I found this tutorial for allowing access to an FTP server behind a natted connection.

Forwarding a Range of Ports for Passive FTP

Basically there are four parts to this recipe

access-list 100 permit tcp any gt 1023 host xx.xx.xx.xx eq ftp
access-list 100 permit tcp any gt 1023 host xx.xx.xx.xx eq ftp-data
access-list 100 permit tcp any host xx.xx.xx.xx range 50000 50010

ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range 20 21
remark Extra Ports for Passive Use Only
permit tcp any any range 50000 50010

ip nat pool PASSIVEFTP 10.0.0.28 10.0.0.28 netmask 255.255.255.0 type rotary

ip nat inside destination list PASSIVEACL pool PASSIVEFTP

OK straight forward enough for an ( inside ) FTP SERVER

What would be different if an OUTSIDE FTP *Server* wanted to contact an INSIDE FTP *Client*.

The incoming port request would initially be from 21 -- to connect to an arbitrary natted port.

On WHAT ports would the incoming PASSSIVE request negotiation be

I have something similar to this setup -- works OK with ACTIVE but not with PASSIVE

Trying to find the solution -- but -- brain is stuffed after the flu.

I suspect it has something to do with reversing the port allocation because the flow is different.

Anyone ....... ( looking heavenward)

 

[Tinuva]

I am no Cisco guru, though I have worked a bit on 3640s, 6509s, 6506s, 3548s ect, I am still learning and have no certification.

Anyways, I believe what you are looking for is application protocol inspection.

Here is the Cisco documentation: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html

ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name CBAC1 ftp timeout 3600
ip inspect name CBAC2 ftp timeout 3600
ip audit notify log
ip audit po max-events 100
!
interface FastEthernet0/0
 description HSZ
 ip address 192.168.102.200 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 ip inspect CBAC1 in
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description SICAP
 ip address 192.168.101.200 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 ip inspect CBAC2 in
 duplex auto
 speed auto
 no cdp enable
!

I am not 100% sure the above config will work, for obvious reasons I can't test this since I have never used an ADSL capable cisco router, so first check if those inspect commands are usable on your router, though I am fairly sure it should be.

A sample config would look like:

 

[MidnightWizard]

PASV NAT

Here is the Cisco documentation: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html

ip inspect name CBAC1 ftp timeout 3600
ip inspect name CBAC2 ftp timeout 3600
!
interface FastEthernet0/0
 description HSZ
 ip address 192.168.102.200 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 ip inspect CBAC1 in
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description SICAP
 ip address 192.168.101.200 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 ip inspect CBAC2 in
 duplex auto
 speed auto
 no cdp enable
!

I am not 100% sure the above config will work, for obvious reasons I can't test this since I have never used an ADSL capable cisco router, so first check if those inspect commands are usable on your router, though I am fairly sure it should be.
A sample config would look like:

Thanks

Yes can use those commands

In your example the CBAC is FTP plus a timeout command

ip inspect name NATFTP ftp

interface Dialer 1
ip inspect NATFTP in

Does NOT help
but
I am not having trouble with timeouts.

It appears that the Natpool ( Passive ports ) is not being activated
The PASV FTP is coming in on random ports not those specified -- so my ACL is denying them.

The Nat Pool and NAT extended ACL need some work -- I think.

 

[Tinuva]

That is why you need FTP inspection, so that those random ports are picked up in the conversation happening on port 21. Instead of a ACL you need to perhaps change it to a policy map that makes use of the inspection rule and acl combined.

I believe the timeout is not for the actual connections, but at which point the router should drop inactive connections from it's inspection table, you know like the NAT table also contain connections, just like that you will keep information about connections in the inspection database, which needs to be cleaned up otherwise memory are never released and the router will eventually run out of memory and die until you reboot it.

 

[MidnightWizard]

Policy Map

That is why you need FTP inspection, so that those random ports are picked up in the conversation happening on port 21.
Instead of a ACL you need to perhaps change it to a policy map that makes use of the inspection rule and acl combined.

OK

IF I am understanding correctly the outside ftp server is deciding on what PASV ports to respond on
normally from about 35000 but up to 65000 but not fixed. No way you can tell what ports to open when it is random like this. ( do NOT want to open ALL of them )

Any tips on how you would do such a thing as suggested -- policy map , inspection rule AND ACL

 

[MidnightWizard]

FTP -- the "works"

OK

Got rid of the earlier ftp Server recipe ( obviously only works for an inside ftp Server )

Opened some ports used the inspect statement and voila active and passive working ( with the NAT / PAT )

HOWEVER

I do not want a vast range of ports open just for passive ftp (without some kind of secutiry ) -- having a dynamic public ip assigned by the ISP does not make it easier either )


So while youi still have your thinking caps on -- here is a nice explanation of how FTP works

Analysis of the File Transfer Protocol (FTP)

OK so now what / how -- to allow passive ftp without opening hundreds of ports ? ( some debug sees outside ftp servers opening ports from about 35000 right up to 65000 )

 

[Tinuva]

Now see, there is no way you can know what other admins set as the passive ports ranges on their FTP servers. I actually thought the FTP inspection can be used like one uses connection tracking on linux, and then all you do is, allow related connections instead of specific ports. I am however not sure whether the same type of statement exists for access-lists, I think for that you will probably have to use a proper firewall device.

 

[ivusi]

In passive mode FTP, the client initiates both connections to the server. In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21.
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Me, personally if I was hosting the FTP server I would only use active mode.

Otherwise, if you want to use passive mode you will have to allow the higher end ports through your firewall. I would rather allow only 20 and 21 - screw the clients if their firewall does not allow them to access my FTP server - let their admin guys allow the higher ports!