[c-nsp] FWSM v2.3 and FTP
Patrick Vanderstocken
patrhak at gmail.com
Tue Jul 24 18:19:06 EDT 2007
Very unusual indeed, have you tried using inspect ftp instead of disabling it ?
I've seen cases when fixups (replaced by inspect nowadays) really
helps with protocol handling ...
Pat
On 7/24/07, varaillon <j.varaillon at cosmoline.com> wrote:
> Sorry just a long long day we are using version 3.1(5) and not 2.x
>
> Christophe
>
> -----Original Message-----
> From: varaillon [mailto:j.varaillon at cosmoline.com]
> Sent: Tuesday, July 24, 2007 12:05 PM
> To: 'cisco-nsp at puck.nether.net'
> Subject: FWSM v2.3 and FTP
>
> Hi,
>
> We had that topology:
>
> Server1,Server2---7200---Server3,Server4
>
> We changed it to that topology:
>
> Server1,Server2---(dmz)---FWSM---(outside)---Server3,Server4
>
> The goal is to use FTP to transfer files (2MBs size) between Server2 and
> Server1.
>
> The problem occurs soon after Server2 starts sending data.
> As soon as few 100KB have been transferred we get the error message:
> "connection reset by peer".
>
> This issue occurs between:
> Server3 and Server1
> Server3 and Server2
>
> However there is no FTP issue between:
> Server3 and Server1
> Server4 and Server1
>
> On the FWSM I tried the following but it did not solve the issue:
> - ACL permitting everything I/O
> - no inspect ftp
> - norandomseq on each relevant translation rules
> - reload Server1
> - restart relevant process on Server2
>
> So we removed back to the former topology:
>
> Server1,Server2---7200---Server3,Server4
>
> ...and without doing any reload/restart on any servers, the FTP issue did
> not exist any longer.
>
> Since replacing the FWSM by the router 7200 solves the issue and replacing
> the 7200 by the FWSM creates the issue, it is clear that the FWSM is the
> problem.
>
> But since the ACL allows everything, no inspect is done on FTP and also we
> disabled randomized sequence number (in case one server has already a
> firewall), what else could be done on the FWSM?
>
> Any suggestions/comments would be welcome.
>
> Thanks!
>
> Christophe
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list