[c-nsp] FWSM v2.3 and FTP
Jorge Evangelista
netsecuredata at gmail.com
Wed Jul 25 00:04:08 EDT 2007
Try to make a access-list beetwen your host and the server, then see
logs with the command debug ip packet ACL detail
You can use other commands for tracking the issue as debug packet
debug access-list
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/command/reference/df.pdf
On 7/24/07, Patrick Vanderstocken <patrhak at gmail.com> wrote:
> Very unusual indeed, have you tried using inspect ftp instead of disabling it ?
> I've seen cases when fixups (replaced by inspect nowadays) really
> helps with protocol handling ...
>
> Pat
>
> On 7/24/07, varaillon <j.varaillon at cosmoline.com> wrote:
> > Sorry just a long long day we are using version 3.1(5) and not 2.x
> >
> > Christophe
> >
> > -----Original Message-----
> > From: varaillon [mailto:j.varaillon at cosmoline.com]
> > Sent: Tuesday, July 24, 2007 12:05 PM
> > To: 'cisco-nsp at puck.nether.net'
> > Subject: FWSM v2.3 and FTP
> >
> > Hi,
> >
> > We had that topology:
> >
> > Server1,Server2---7200---Server3,Server4
> >
> > We changed it to that topology:
> >
> > Server1,Server2---(dmz)---FWSM---(outside)---Server3,Server4
> >
> > The goal is to use FTP to transfer files (2MBs size) between Server2 and
> > Server1.
> >
> > The problem occurs soon after Server2 starts sending data.
> > As soon as few 100KB have been transferred we get the error message:
> > "connection reset by peer".
> >
> > This issue occurs between:
> > Server3 and Server1
> > Server3 and Server2
> >
> > However there is no FTP issue between:
> > Server3 and Server1
> > Server4 and Server1
> >
> > On the FWSM I tried the following but it did not solve the issue:
> > - ACL permitting everything I/O
> > - no inspect ftp
> > - norandomseq on each relevant translation rules
> > - reload Server1
> > - restart relevant process on Server2
> >
> > So we removed back to the former topology:
> >
> > Server1,Server2---7200---Server3,Server4
> >
> > ...and without doing any reload/restart on any servers, the FTP issue did
> > not exist any longer.
> >
> > Since replacing the FWSM by the router 7200 solves the issue and replacing
> > the 7200 by the FWSM creates the issue, it is clear that the FWSM is the
> > problem.
> >
> > But since the ACL allows everything, no inspect is done on FTP and also we
> > disabled randomized sequence number (in case one server has already a
> > firewall), what else could be done on the FWSM?
> >
> > Any suggestions/comments would be welcome.
> >
> > Thanks!
> >
> > Christophe
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
"The network is the computer"
More information about the cisco-nsp
mailing list