[c-nsp] FWSM v2.3 and FTP

Voll, Scott Scott.Voll at wesd.org
Wed Jul 25 10:39:27 EDT 2007


I also like to use "capture" on each interface in and out to see where
the issue is.

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge
Evangelista
Sent: Tuesday, July 24, 2007 9:04 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM v2.3 and FTP

Try to make a access-list beetwen your host and the server, then see
logs with the command debug ip packet ACL detail
You can use other commands for tracking the issue as  debug packet
debug access-list

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/command/reference/d
f.pdf


On 7/24/07, Patrick Vanderstocken <patrhak at gmail.com> wrote:
> Very unusual indeed, have you tried using inspect ftp instead of
disabling it ?
> I've seen cases when fixups (replaced by inspect nowadays) really
> helps with protocol handling ...
>
> Pat
>
> On 7/24/07, varaillon <j.varaillon at cosmoline.com> wrote:
> > Sorry just a long long day we are using version 3.1(5) and not 2.x
> >
> > Christophe
> >
> > -----Original Message-----
> > From: varaillon [mailto:j.varaillon at cosmoline.com]
> > Sent: Tuesday, July 24, 2007 12:05 PM
> > To: 'cisco-nsp at puck.nether.net'
> > Subject: FWSM v2.3 and FTP
> >
> > Hi,
> >
> > We had that topology:
> >
> > Server1,Server2---7200---Server3,Server4
> >
> > We changed it to that topology:
> >
> > Server1,Server2---(dmz)---FWSM---(outside)---Server3,Server4
> >
> > The goal is to use FTP to transfer files (2MBs size) between Server2
and
> > Server1.
> >
> > The problem occurs soon after Server2 starts sending data.
> > As soon as few 100KB have been transferred we get the error message:
> > "connection reset by peer".
> >
> > This issue occurs between:
> > Server3 and Server1
> > Server3 and Server2
> >
> > However there is no FTP issue between:
> > Server3 and Server1
> > Server4 and Server1
> >
> > On the FWSM I tried the following but it did not solve the issue:
> > - ACL permitting everything I/O
> > - no inspect ftp
> > - norandomseq on each relevant translation rules
> > - reload Server1
> > - restart relevant process on Server2
> >
> > So we removed back to the former topology:
> >
> > Server1,Server2---7200---Server3,Server4
> >
> > ...and without doing any reload/restart on any servers, the FTP
issue did
> > not exist any longer.
> >
> > Since replacing the FWSM by the router 7200 solves the issue and
replacing
> > the 7200 by the FWSM creates the issue, it is clear that the FWSM is
the
> > problem.
> >
> > But since the ACL allows everything, no inspect is done on FTP and
also we
> > disabled randomized sequence number (in case one server has already
a
> > firewall), what else could be done on the FWSM?
> >
> > Any suggestions/comments would be welcome.
> >
> > Thanks!
> >
> > Christophe
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
"The network is the computer"
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list