NBAR discovery passive ftp
Hi guys,
I am trying to shape all ftp traffic on a 3700 router connecting to a LAN.
so F0/0 is the WAN and F0/1 is the LAN port.
I have tried to use NBAR to shape http or any traffic, all working fine.
however, it seems like I am having problems dealing with passive ftp traffic.
the following is part of the configuration I have :
class-map match-any FTP
match protocol ftp
policy-map FTP
class FTP
shape average 400000
int f0/1
service-policy output FTP
ip nbar protocol-discovery
end
wr
I am using an old version ios 12.3(22) on this router, I am wonderring if this ios's nbar supports passive ftp discovery or not.
thanks.
Hi,
Have a look at this link
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#passiveftp
You may need to an access list to define the ftp-passive type traffic and apply the access list to your class map
Regards
Alex
Similar Messages
-
Passive FTP Port Range -- Server 10.3.x Panther
I know that the port range for Passive FTP is >1024, but I want to define that to a smaller group of unused ports so that I can specify that those ports are open in the Firewall.
Can, how, and where do I define this port range??I just opened from 13658-65534 and this seems to be fine (although not been running very long). I took the view that opening a stack of ports was not really any worse than just opening a quarter as much. Arguably, it's no worse than just opening one.
However, we only use it from time to time and FTP services is off unless specifically required. If I was going to run it for serious use I think I would put it on a dedicated server and put it in a DMZ.
Reading up on FTP security is on my To-Do list...
-david
[EDIT] The server is also well locked down for SSH. -
I have a problem with my FTP server, or something. I have
created a site, set it up, where the files need to go etc., but
when I test my connection it times out and says to try toggling the
passive FTP mode. Where do I find this? I have looked everywhere
(or so I think).. any help is useful at this point.
Thanks
T.SanchezSite Definition > Advanced Tab > Remote Site
Likely that's not the problem, but give it a try....
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
==================
"TSanchez012" <[email protected]> wrote in
message
news:fvfql1$r3l$[email protected]..
>I have a problem with my FTP server, or something. I have
created a site,
>set
> it up, where the files need to go etc., but when I test
my connection it
> times
> out and says to try toggling the passive FTP mode. Where
do I find this? I
> have
> looked everywhere (or so I think).. any help is useful
at this point.
>
> Thanks
> T.Sanchez
> -
CSS and Extended Passive FTP problem.
Hi everyone.
I'm having a problem setting up a load balanced cluster of FTP servers behind a CSS 11506.
I can FTP into the cluster fine. I am redirected to one of the machines in a round robin fashion and can log in. The problem arises on mac's where typing in an ls command returns this:
ftp> ls
229 Entering Extended Passive Mode (|||32999|)
200 EPRT command successful
421 Service not available, remote server timed out. Connection closed
Now, if I type in the EPSV command and disable Extended Passive Mode prior to connecting to it, it works fine.
Also, connecting to any of the servers directly with epsv enabled works fine as well.
We have over 800k hits per month and telling everyone to disable epsv will be a problem. Is there a way to enable extended passive mode through the css?
Here is my config:
Group: ftpServers1 - Active (198.202.122.181 Not Redundant)
Session Redundancy: Disabled
Last Clearing of Stats Counters: 03/20/2007 14:28:25
Associated ACLs: NONE
Source Services:
DNS
Name: Hits: State: Load: Trans: Keepalive: Conn:
rem_ftp1 19857 Alive 44 6 FTP 0
rem_ftp2 38175 Alive 87 0 FTP 0
Destination Services:
NONE
Group Service Total Counters:
Hits/Frames/Bytes: 58032/58339/4277264
Connections Total/Current: 25/0
FTP Control Total/Current: 0/0
CSS11506# show rule pdb ftp-rule1
Name: ftp-rule1 Owner: pdb
State: Active Type: FTP
Balance: Round Robin Failover: N/A
Persistence: Enabled Param-Bypass: Disabled
Session Redundancy: Disabled
IP Redundancy: Not Redundant
L3: 198.202.122.181
L4: TCP/21
Url:
Redirect: ""
TCP RST client if service unreachable: Disabled
Rule Services & Weights:
1: rem_ftp1-Alive, S-1
2: rem_ftp2-Alive, S-1
Thanks
BokiEPSV is not supported.
The only workaround available to load balance passive ftp servers is to use "PASV" command instead of "EPSV" on clients.
Syed Iftekhar Ahmed -
ACE access-list and Passive FTP
Can servers sitting behind the ACE successfully ftp files if the following rules are in place?
access-list word line x extended permit tcp source destination eq 21
access-list word line y extended permit tcp source destination eq 20
With those lines I can establish an FTP session, but unable to transfer files.
With the following statement access-list word line x extended permit ip source destination, passive ftp works?
IS this because the ACE acl does not allow for stateful inspection of an FTP session?
Thank youYou are right lack of fixup/inspect is the reason for FTP connections to fail.
You need something in line with the following config
class-map match-all FTP-Traffic
2 match port tcp eq ftp
policy-map multi-match xyz
class FTP-Traffic
inspect ftp
Syed Iftekhar Ahmed -
Passive FTP and the Leopard firewall
Hi,
We have an staff upload server that uses the built-in Leopard firewall. It is fed by two proprietary applications, one of which uses passive ftp only. We are getting a small number of incidents where the passive upload is unsuccessful. Initial contact is made (visible in the logs and as a connection in the server admin gui) but the upload doesn't proceed. A user might try uploading several times without success. On other occasions, the same user from the same computer has no problems at all.
We have the ftp service enabled on port 20-21 and the FTP service PASV port range enabled 49152-65535.
If I add the uploading computers' ip number to an access group with no port restrictions on the firewall, the uploads are always successful.
With my very limited knowledge of ftp and firewalls, this suggest that the negotiated port for the data transfer is outside the default port range used by Apple. Is this likely? Are there any implications in changing the range?
Or am I totally confused and should I be looking elsewhere?
Thanks,
Ross GloverBy default, the FTP server doesn't restrict itself to any particular passive port range. To make it match what the firewall claims it should be, edit the file /Library/FTPServer/Configuration/ftpaccess and add the line:
passive ports 0.0.0.0/0 49152 65535
...then restart the FTP service and retest. -
AIR installer Passive FTP?
Our AIR app uses the AIR badge installer to update our client's desktop app. However, we've noticed a lot of our users get these half-baked installer files (literally, the installer file they get is half the size of what it should be). The cloud server hosting the installer is fine, the file itself is fine, but people aren't getting the whole file.
Is there a setting on AIR's installer to use passive FTP? Or some way to guarantee the user actually gets the entire file? Is this a known issue with the installer badge?
Thanks!Hi,
There is a bunch of ftp libraries that support passive transfer.. Use google, or look at the following link:
http://freshmeat.net/projects/javaftp/
/Kaj -
In proxies passive ftp mode is checked and in the box this domain*.local, 169.254/16 is always visible. My internet is dongle wifi - Wimax. Can I uncheck this box without it affecting my wifi connection.
Something very strange is happening when I connect via wi fi to my wimax. My airport menu show I am connected to uroad458930 which is my correct network address but there is also another network showing uroad458931. This address is only visible when I connect to my Wimax. Both addresses disappear from the menu when I switch off the wimax dongle and both appear when I switch it on.Thank you for your answer.
Yes, according to those slides it looks like PASV mode is tried first...
But why do I get the following exception?
sun.net.ftp.FtpProtocolException: PORT :500 Illegal PORT command, EPSV ALL in effect
at sun.net.ftp.FtpClient.openDataConnection(FtpClient.java:381)
at sun.net.ftp.FtpClient.get(FtpClient.java:485)
at sun.net.www.protocol.ftp.FtpURLConnection.getInputStream(FtpURLConnection.java:284)
at imageviewer.threads.DicomDirLoaderThread.run(DicomDirLoaderThread.java:124)
at java.lang.Thread.run(Thread.java:534)
If I write the FTP URL that I use in my Java code in my browser's address bar, the file is regularly downloaded.
Any help / suggestion would be greatly appreciated.
Thank you,
Marco. -
Passive FTP in PIX 6.3(5)106
Dear All,
How can I allow passive ftp communication in PIX 6.3(5)106.
Thank You,
Abhisar.Is this for outbound or inbound FTP?
For outbound FTP:
1) Configure:
fixup protocol ftp 21
2) Then if you have any access-list on the inside interface, allow tcp/21
For inbound FTP:
1) Configure:
fixup protocol ftp 21
2) Configure static NAT statement for the FTP server
3) Configure access-list on the outside interface to allow TCP/21 on the NATed IP. -
Hi
I want to setup an Passive FTP and an Active proxy service in Oracle Service Bus 10.3. What is the best way of doing this?
Regardssee support note 860423.1
Oracle Service Bus FTP transport is implemented to use passive mode in proxy services (inbound) and active mode in business services (outbound).
This behavior can be changed and OSB can be forced to use passive mode for both inbound and outbound FTP requests by applying a patch. -
I'm sure the root cause is probably outside of Dreamweaver
but out of the
blue Dreamweaver has lost the ability to connect to any of my
previously set
up sites unless I change the FTP mode to passive.
I know Saratoga Sam asked this question just over a week ago
but as he did
not get any solution and as I've just started experiencing
the same thing I
thought I'd ask if anyone else has suddenly started being
told to use
Passive FTP by Dreamweaver.
Any input greatly appreciated.
Thanks
Phill
P Hellewell
P&M Software
Maintenance Management Software
http://www.pmsoftware.co.ukYou'll find many posts here over the years resulting from
problems with NIS.
Frankly, I would never let anything Norton touch my
hardware.... 8)
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"Phill Hellewell (pmsoftware)" <[email protected]>
wrote in message
news:eub24b$lh$[email protected]..
> "Murray *ACE*" <[email protected]>
wrote in message
>
>> Such problems are almost always due to a change in
the properties of your
>> local firewall. What firewall are you running and
what has changed?
>>
>
> Norton Internet Security.
>
> I haven't changed anything, Norton Internet Security
might have changed
> something its self during an update. I'll have to have a
look. I suppose I
> was hoping someone might have encountered the same
problem a la FTP
> passwords and IE7 (resolved with update 8.02).
>
> Ho hum! I'll go and have a poke around and see what I
can find.
>
> Thanks
>
> Phill
>
>
>
> P Hellewell
> P&M Software
> Maintenance Management Software
>
http://www.pmsoftware.co.uk
> -
Passive ftp ports allowed thru firwall
I need to allow a connection thru my firewall for passive ftp connection.
I figure to create a service defining the ports. What ports should I include in that service?You should enable FTP inspection and allow tcp/21, then everything should be detected on the fly
Michael
Please rate all helpful posts -
Let's Revisit MacOS Server's Passive FTP Problem
Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections. More often than not, this means that clients behind NAT routers (for a variety of complicated reasons) can't discover which of the "high ports" are being used in their passive connection. Furthermore the Mac OS X administrator would have to open every port above 1024 to anticipate connections, severly weakening the security of the system.
The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
Here's a primer on the difference between Active and Passive FTP:
http://slacksite.com/other/ftp.html
Apple introduced a "solution" to the problem by making this addition to the Network Services manual sometime around 10.3 server:
"See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. "
This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations. The typical workaround was choppy, but workable: replace Apple's built-in FTP daemon with a fully configurable one like ProFTPd or PureFTPd, configure a narrow range of ports for your own security, and configure your firewall to match.
We're on Tiger server now and that's still in the Network Services manual. Leopard or whatever is looming. Will Apple ship an FTP server that works out-of-the-box with its own firewall this time? Any new thoughts or solutions?I think you need to do a little more research on FTP. Most of the actual problems you describe are inherent in FTP and nothing to do with any kind of Apple-inhibited FTP server.
For example, you say:
> Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections
Not true. You can choose whatever port range you like using the portrange directive in /etc/ftpd.conf
By default this directive isn't set so the entire port range is used. Feel free to change that.
>The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
This is an inherent flaw in FTP, suffered by every FTP server on the market. Nothing to do with Apple.
> This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations
Again, incorrect. The suggestion was a workaround for the FTP protocol restriction, not for Apple's implementation. I've been dealing with the exact same issues for years on various Sun servers I've run.
Most of the problems you describe regarding FTP and firewalls won't be solved at all in any future OS update - from any vendor. FTP was never designed with firewalls and security in mind. The only solution is to fix the underlying protocol, or use something different altogether. -
Active vs. Passive FTP?
Can someone explain in lay terms the difference?
bobtem wrote:
> Can someone explain in lay terms the difference?
Try this:
http://slacksite.com/other/ftp.html
In my experience, if you have a router or firewall on your
computer or
network, then you should select passive.
If your ftp server is on the same physical network as your
client, then
use passive. This is because there are no firewalls blocking
access to
the random ports that the ftp server will open for the
client.
Dooza -
NAT: Passive FTP with non standard port
Hi all,
I have an ASA 5515 and four FTP server. Currently I have everything configured properly for three of the server that I need. For the fourth I have two possibilities:
1) use the IP configured for the external interface.
2) use one of the ip used for other FTP but uses another port.
Is possible option 1? I did not succeed.
I was then trying to use this configuration:
<public ip>: 2121 -> <internal ip> 21
<public ip>: 2120 -> <internal ip> 20
The problem is that I can just log in but not access to the folders.
I changed the service policy as well but still not working:
class-map inspection_default
match default-inspection-traffic
class-map FTP-2121
match port tcp range 2120 2121
policy-map global_policy
class inspection_default
inspect ftp
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class FTP-2121
inspect ftp
Here is the output of sh service-policy:
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 186535, lock fail 0, drop 188, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 6539637, lock fail 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: http, packet 1581437285, lock fail 0, drop 0, reset-drop 0
Inspect: netbios, packet 105420, lock fail 0, drop 0, reset-drop 0
Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: rsh, packet 7, lock fail 0, drop 0, reset-drop 0
Inspect: rtsp, packet 3857828, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sip , packet 3, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0
Class-map: FTP-2121
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0Hi bro
If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;
static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255
static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255
access-list acl_outside permit tcp any host 202.188.1.14 range 20 21
access-group acl_outside in interface outside
Note: Please remove all the MPF commands that you've inserted, back to default.
Maybe you are looking for
-
Getting your RSS feed to work without .Mac
OK, so there have been a few people asking about this and I have figured out a way around it. I must warn you it is not a simple solution, but if you are comfortable using Text Edit to modify the code of your pages, it is a piece of cake - but still
-
Quick Switch Between Mic & Speakers?
I prefer recording sections through an external mic and then listening to the recording from the main speakers in the computer. Is there a shortcut for doing this? Every time I have to unplug the USB and hit YES to use the main speakers for audio and
-
Start Routine for transfer rules
Hello experts, I want to use the SQL DISTINCT keyword to return non-duplicate results from a table in a DataSource (data base) in a the start routine for the transfer rules. How do I address that table in the start routine of the TR? I thought about
-
Safari Browser Issue: Version 6.0.2
I am currently using safari version 6.0.2 ... and i am facing lot of issues with the browser... while trying to open any website using safari its taking too long and most of the times i am getting hour glass .... Really frustrating and when i used go
-
Query question, OINV, OCRD, CRD1
When I try to create a query with the 3 tables above when I add the CRD1 the invoice numbers begin to duplicate. Is this a problem with the JOIN statements automatically created by the Generator? Thanks, Jeff SELECT * FROM OINV T0 INNER JOIN OCRD