PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:ftp:ftp

Cisco: ACL: Example: FTP: Active Mode, Passive Mode

  1. Active Mode
  2. Passive Mode

FTP server is vsftpd.

Summary: How to Access Control FTP Traffic

  1. Following Simple Extended ACL
    1. FTP Active Mode
    2. FTP Passive Mode
    3. FTP Active Mode w/ established
    4. FTP Passive Mode w/ established

FTP ACL Lab a7982d66-91df-42e4-b74d-bd9c6cb77d14

network-security.acl.example.ftp.a7982d66
- Topology Description: ACL: Example: FTP: Active Mode, Passive Mode
- Topology ID: ''a7982d66-91df-42e4-b74d-bd9c6cb77d14''
- Lab Password: EgkhdSc5mw

### Links

Cisco: ACL: Example: FTP: Active Mode, Passive Mode [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:ftp:ftp

Base Configuration

Common Configuration Snippet

  1. enp0s2ens2
  2. enp0s3ens3

CML 2.1 Interface shows enp0s2, but actually interpreted interface name is ens2…
Also, ens3

Issue: 1aa5d9f1 CML-P 2.1 refplat_p-20201020-fcs.iso Ubuntu 20.04(Focal) has wrong interface name

ubuntu-0

ubuntu-1

R1

  • ubnuntu-0
sudo apt install ftp
  • ubnuntu-1
sudo apt install vsftpd

FTP Active Mode with ACL

icmp or tcp
icmp or tcp.port in {20 21}
configure terminal
!
access-list 101 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
access-list 101 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp-data
!
interface GigabitEthernet 0/0
 ip access-group 101 in
!
end
ping 10.2.2.201
ftp 10.2.2.201
cd /etc
get passwd
384	2020-12-06 18:11:51.855600	10.2.2.201	10.1.1.200	FTP	113	Response: 227 Entering Passive Mode (10,2,2,201,77,92).
(A,B,C,D,E,F)
E * 256 + F
77 * 256 + 92 = 19804

FTP Active Mode with ACL

icmp or tcp
configure terminal
!
access-list 102 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
! ephemeral port
access-list 102 permit tcp host 10.1.1.200 host 10.2.2.201 gt 1023
!
interface GigabitEthernet 0/0
 ip access-group 102 in
!
end
ping 10.2.2.201
ftp 10.2.2.201
passive
cd /etc
get passwd

active mode

512	2020-12-06 18:22:41.099560	10.1.1.200	10.2.2.201	FTP	91	Request: PORT 10,1,1,200,193,141
(A,B,C,D,E,F)
E * 256 + F
193 * 256 + 141 = 49549
Frame 525: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) on interface -, id 0
Ethernet II, Src: RealtekU_0f:67:18 (52:54:00:0f:67:18), Dst: RealtekU_0f:8c:15 (52:54:00:0f:8c:15)
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.1.1.200
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 13 (Communication administratively filtered)
    Checksum: 0x0239 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: 10.1.1.200, Dst: 10.2.2.201
    Transmission Control Protocol, Src Port: 49549, Dst Port: 20

passive mode

561	2020-12-06 18:24:55.938402	10.2.2.201	10.1.1.200	FTP	114	Response: 227 Entering Passive Mode (10,2,2,201,126,56).
(A,B,C,D,E,F)
E * 256 + F
126 * 256 + 56 = 32312

FTP Active Mode with ACL w/ established

icmp or tcp
icmp or tcp.port in {20 21}
configure terminal
!
access-list 103 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
access-list 103 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp-data established
!
access-list 104 permit tcp host 10.2.2.201 eq ftp host 10.1.1.200 established
access-list 104 permit tcp host 10.2.2.201 eq ftp-data host 10.1.1.200
!
interface GigabitEthernet 0/0
 ip access-group 103 in
interface GigabitEthernet 0/1
 ip access-group 104 in
!
end

active mode

898	2020-12-06 19:03:08.837097	10.1.1.200	10.2.2.201	FTP	89	Request: PORT 10,1,1,200,158,1
(A,B,C,D,E,F)
E * 256 + F
158 * 256 + 1 = 40449

passive mode

933	2020-12-06 19:05:12.547046	10.2.2.201	10.1.1.200	FTP	115	Response: 227 Entering Passive Mode (10,2,2,201,113,245).
(A,B,C,D,E,F)
E * 256 + F
113 * 256 + 245 = 29173

FTP Passive Mode with ACL w/ established

icmp or tcp
configure terminal
!
access-list 105 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
! ephemeral port
access-list 105 permit tcp host 10.1.1.200 host 10.2.2.201 gt 1023
!
access-list 106 permit tcp host 10.2.2.201 eq ftp host 10.1.1.200 established
! ephemeral port
access-list 106 permit tcp host 10.2.2.201 gt 1023 host 10.1.1.200 established
!
interface GigabitEthernet 0/0
 ip access-group 105 in
interface GigabitEthernet 0/1
 ip access-group 106 in
!
end
1041	2020-12-06 19:15:46.744615	10.1.1.200	10.2.2.201	TCP	74	56806 → 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3824331117 TSecr=0 WS=128
1042	2020-12-06 19:15:46.747162	10.2.2.201	10.1.1.200	TCP	74	21 → 56806 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2415685427 TSecr=3824331117 WS=128

active mode

1067	2020-12-06 19:16:40.121042	10.1.1.200	10.2.2.201	FTP	91	Request: PORT 10,1,1,200,194,123
(A,B,C,D,E,F)
E * 256 + F
194 * 256 + 123 = 49787

passive mode

1087	2020-12-06 19:18:29.953127	10.2.2.201	10.1.1.200	FTP	114	Response: 227 Entering Passive Mode (10,2,2,201,94,187).
1089	2020-12-06 19:18:29.953731	10.1.1.200	10.2.2.201	TCP	74	39482 → 24251 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3824494326 TSecr=0 WS=128
1090	2020-12-06 19:18:29.955526	10.2.2.201	10.1.1.200	TCP	74	24251 → 39482 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2415848637 TSecr=3824494326 WS=128
(A,B,C,D,E,F)
E * 256 + F
94 * 256 + 187 = 24251

R1 terminal log

ubuntu-0 terminal log

ubuntu-1 terminal log

Wireshark Packet Capture Result

References

tech/network/cisco/security/network-security/acl/ftp/ftp.txt · Last modified: 2020/12/06 19:46 by wnoguchi