1. Active Mode
2. Passive Mode

FTP server is vsftpd.

1. Cisco: ACL: CBAC (Context-Based Access Control)
2. Cisco: Reflexive ACL
3. Following Simple Extended ACL
   1. FTP Active Mode
   2. FTP Passive Mode
   3. FTP Active Mode w/ established
   4. FTP Passive Mode w/ established

network-security.acl.example.ftp.a7982d66

- Topology Description: ACL: Example: FTP: Active Mode, Passive Mode
- Topology ID: ''a7982d66-91df-42e4-b74d-bd9c6cb77d14''
- Lab Password: EgkhdSc5mw

### Links

Cisco: ACL: Example: FTP: Active Mode, Passive Mode [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:ftp:ftp

1. CML-P 2.0 Lab: network-security.acl.example.ftp.a7982d66.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
2. Topology diagram: topologies.vsdx · master · CCIE Enterprise Infrastructure v1.0 / My Documents · GitLab

Common Configuration Snippet

1. enp0s2 → ens2
2. enp0s3 → ens3

CML 2.1 Interface shows enp0s2, but actually interpreted interface name is ens2…
Also, ens3

Issue: 1aa5d9f1 CML-P 2.1 refplat_p-20201020-fcs.iso Ubuntu 20.04(Focal) has wrong interface name

ubuntu-0

#cloud-config
password: EgkhdSc5mw
chpasswd: { expire: False }
hostname: ubuntu-0
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
packages:
   - curl
   - ftp
   - iperf
   - iperf3
   - netcat-openbsd
   - bind9-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           ens2:
              dhcp4: true
              dhcp6: true
              match:
                 name: ens2
           ens3:
              match:
                 name: ens3
              addresses:
                 - 10.1.1.200/24
              routes:
                 - to: 10.0.0.0/8
                   via: 10.1.1.1
                   metric: 0
              #gateway4: 198.168.255.1
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

ubuntu-1

#cloud-config
password: EgkhdSc5mw
chpasswd: { expire: False }
hostname: ubuntu-1
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
packages:
   - apache2
   - php
   - curl
   - vsftpd
   - ftp
   - iperf
   - iperf3
   - netcat-openbsd
   - bind9-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           ens2:
              dhcp4: true
              dhcp6: true
              match:
                 name: ens2
           ens3:
              match:
                 name: ens3
              addresses:
                 - 10.2.2.201/24
              routes:
                 - to: 10.0.0.0/8
                   via: 10.2.2.1
                   metric: 0
              #gateway4: 198.168.255.1
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.2.2.1 255.255.255.0
 no shutdown
!
end

• ubnuntu-0

sudo apt install ftp

• ubnuntu-1

sudo apt install vsftpd

icmp or tcp
icmp or tcp.port in {20 21}

configure terminal
!
access-list 101 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
access-list 101 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp-data
!
interface GigabitEthernet 0/0
 ip access-group 101 in
!
end

ping 10.2.2.201
ftp 10.2.2.201

cd /etc
get passwd

384	2020-12-06 18:11:51.855600	10.2.2.201	10.1.1.200	FTP	113	Response: 227 Entering Passive Mode (10,2,2,201,77,92).

(A,B,C,D,E,F)
E * 256 + F
77 * 256 + 92 = 19804

icmp or tcp

configure terminal
!
access-list 102 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
! ephemeral port
access-list 102 permit tcp host 10.1.1.200 host 10.2.2.201 gt 1023
!
interface GigabitEthernet 0/0
 ip access-group 102 in
!
end

ping 10.2.2.201
ftp 10.2.2.201

passive
cd /etc
get passwd

active mode

512	2020-12-06 18:22:41.099560	10.1.1.200	10.2.2.201	FTP	91	Request: PORT 10,1,1,200,193,141

(A,B,C,D,E,F)
E * 256 + F
193 * 256 + 141 = 49549

Frame 525: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) on interface -, id 0
Ethernet II, Src: RealtekU_0f:67:18 (52:54:00:0f:67:18), Dst: RealtekU_0f:8c:15 (52:54:00:0f:8c:15)
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.1.1.200
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 13 (Communication administratively filtered)
    Checksum: 0x0239 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: 10.1.1.200, Dst: 10.2.2.201
    Transmission Control Protocol, Src Port: 49549, Dst Port: 20

passive mode

561	2020-12-06 18:24:55.938402	10.2.2.201	10.1.1.200	FTP	114	Response: 227 Entering Passive Mode (10,2,2,201,126,56).

(A,B,C,D,E,F)
E * 256 + F
126 * 256 + 56 = 32312

icmp or tcp
icmp or tcp.port in {20 21}

configure terminal
!
access-list 103 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
access-list 103 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp-data established
!
access-list 104 permit tcp host 10.2.2.201 eq ftp host 10.1.1.200 established
access-list 104 permit tcp host 10.2.2.201 eq ftp-data host 10.1.1.200
!
interface GigabitEthernet 0/0
 ip access-group 103 in
interface GigabitEthernet 0/1
 ip access-group 104 in
!
end

active mode

898	2020-12-06 19:03:08.837097	10.1.1.200	10.2.2.201	FTP	89	Request: PORT 10,1,1,200,158,1

(A,B,C,D,E,F)
E * 256 + F
158 * 256 + 1 = 40449

passive mode

933	2020-12-06 19:05:12.547046	10.2.2.201	10.1.1.200	FTP	115	Response: 227 Entering Passive Mode (10,2,2,201,113,245).

(A,B,C,D,E,F)
E * 256 + F
113 * 256 + 245 = 29173

icmp or tcp

configure terminal
!
access-list 105 permit tcp host 10.1.1.200 host 10.2.2.201 eq ftp
! ephemeral port
access-list 105 permit tcp host 10.1.1.200 host 10.2.2.201 gt 1023
!
access-list 106 permit tcp host 10.2.2.201 eq ftp host 10.1.1.200 established
! ephemeral port
access-list 106 permit tcp host 10.2.2.201 gt 1023 host 10.1.1.200 established
!
interface GigabitEthernet 0/0
 ip access-group 105 in
interface GigabitEthernet 0/1
 ip access-group 106 in
!
end

1041	2020-12-06 19:15:46.744615	10.1.1.200	10.2.2.201	TCP	74	56806 → 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3824331117 TSecr=0 WS=128
1042	2020-12-06 19:15:46.747162	10.2.2.201	10.1.1.200	TCP	74	21 → 56806 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2415685427 TSecr=3824331117 WS=128

active mode

1067	2020-12-06 19:16:40.121042	10.1.1.200	10.2.2.201	FTP	91	Request: PORT 10,1,1,200,194,123

(A,B,C,D,E,F)
E * 256 + F
194 * 256 + 123 = 49787

passive mode

1087	2020-12-06 19:18:29.953127	10.2.2.201	10.1.1.200	FTP	114	Response: 227 Entering Passive Mode (10,2,2,201,94,187).
1089	2020-12-06 19:18:29.953731	10.1.1.200	10.2.2.201	TCP	74	39482 → 24251 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3824494326 TSecr=0 WS=128
1090	2020-12-06 19:18:29.955526	10.2.2.201	10.1.1.200	TCP	74	24251 → 39482 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2415848637 TSecr=3824494326 WS=128

(A,B,C,D,E,F)
E * 256 + F
94 * 256 + 187 = 24251

R1 terminal log

ubuntu-0 terminal log

ubuntu-1 terminal log

Wireshark Packet Capture Result

1. ACL - FTPアクティブモード、FTPパッシブモード