Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor I
Posts: 8
Registered: ‎05-28-2009

Does Aruba have problems with Passive FTP?

I have an Aruba 800 Controller running the new 3.4 version as the local firewall. Dell recently changed its support site to force users to a managed download using Passive FTP. It fails every time. I can do Active FTP, but not passive. I have FTP allowed on the outside port, and the inside port is open except for SMTP. (see excerpts from my config below).


ip access-list session OutsideWANPolicy
any any svc-ftp permit
ip access-list session CorpInsideAccessPolicy
user any svc-smtp deny
any any any permit


Wireshark shows a happy little FTP connection, the anonymous password accepted, everything is fine until the server and client agree to enter passive mode. No FTP traffic after the following:
302 57.862638 143.166.170.10 172.16.1.221 FTP Response: 227 Entering Passive Mode (143,166,170,10,241,226)

:mad: Anyone else see this and/or know what I need to do?
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Passive FTP

What FTP client are you using?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 82
Registered: ‎02-15-2008

Re: Does Aruba have problems with Passive FTP?

Hello,

by using passive FTP it is not necessary for the Server to contact the Client. Both connections are made by the Client. The Clients use two Ports for this connection n and n+1 both are > 1024. On the First Port the Client contact the Server with the PASV Command. After this the Server opens his Data Port and sends to the Client Port P. So the Client is possible to make the connection between his Port n+1 and the Server port P.

So you have to open the Firewall for all Port > 1024 if the Server is not configured for e specific Range of Ports.

Client IP with Port >1024 -> Port 21 Server IP
Server Port 21 -> Client Ports >1024
Server Ports >1024 -> Client Ports >1024
Client Ports >1024 -> Server Ports >1024

Best Regards
Occasional Contributor I
Posts: 8
Registered: ‎05-28-2009

Re: Passive FTP

The FTP client in this case is the Dell Website's Download Manager. I have tried in IE and Firefox and the same pattern exists. I have also had other FTP sites that I could hit in Cute FTP, or in IE if I disable passive FTP in Tools/Options. When I have passive enabled, regardless of the location of the FTP server, I cannot download.

I understand how passive FTP to an external server should not rely on any inbound rules, but I included an excerpt from my inbound ACL to cover my bases. I included my outbound ACL to show that except for SMTP, ALL OUTBOUND TRAFFIC is allowed, including >1024. In this case, the server is at Dell, the clients are in my network. I agree that all connections should be made by the client, which means that my very permissive outbound ACL should allow it to work. I know that the Dell servers are set up correctly, because if I switch to an EVDO card, bypassing the Aruba, the download completes.
Frequent Contributor I
Posts: 82
Registered: ‎02-15-2008

Re: Does Aruba have problems with Passive FTP?

Hello,

What are your actual Policies on the specified Role and are the Role assign for that specified client?

Following statement is not correct:

"passive FTP to an external server should not rely on any inbound rules"

Only the Session initiation is made by Client. Ack for example are send from the Server to the Client anyway.


Again: following Rules/Policies are necessary in the Role:

Source Destination
Client IP with Port >1024 -> Port 21 Server IP
Server Port 21 -> Client Ports >1024
Server Ports >1024 -> Client Ports >1024
Client Ports >1024 -> Server Ports >1024

Best Regards
Occasional Contributor I
Posts: 8
Registered: ‎05-28-2009

RE: Passive FTP

Sorry I did not specify before; these are hard wired connections to the Aruba, with the ports set as trusted. The ACLs I described are set as session firewall policies. I don't think user role applies here, but I could be wrong. I went wireless to see the role, and it is InsideLANPort, using the policy CorpInsideAccessPolicy, shown above.

Here is the full transaction from Wireshark(on the client) as the download attempt times out. The FTP sequence is repeated several times before the download manager gives up and errors out.

I put in dashes to make the columns line up better

Source----------Destination----------Protocol-Info
172.16.1.221----143.166.170.10-------TCP------57414->-ftp--Seq=0-Win=8192-Len=0-MSS=1260-WS=2
143.166.170.10--172.16.1.221---------TCP------ftp->-57414--Seq=0-Ack=1-Win=3780-Len=0-MSS=1460-WS=0
172.16.1.221----143.166.170.10-------TCP------57414->-ftp--Seq=1-Ack=1-Win=66780-Len=0
143.166.170.10--172.16.1.221---------FTP------Response:-220-Microsoft-FTP-Service
172.16.1.221----143.166.170.10-------FTP------Request:-USER-anonymous
143.166.170.10--172.16.1.221---------FTP------Response:-331-Anonymous-access-allowed,-send-identity-(e-mail-name)-as-password.
172.16.1.221----143.166.170.10-------FTP------Request:-PASS-anonymous@
143.166.170.10--172.16.1.221---------FTP------Response:-230-Welcome-to-the-Dell-FTP-site.-A-service-of-Dell-Inc.,-Round-Rock,-Texas.
143.166.170.10--172.16.1.221---------FTP------Response:-230-User-logged-in.
172.16.1.221----143.166.170.10-------TCP------57414->-ftp--Seq=34-Ack=1071-Win=65708-Len=0
172.16.1.221----143.166.170.10-------FTP------Request:-OPTS-utf8-on
143.166.170.10--172.16.1.221---------FTP------Response:-200-OPTS-UTF8-command-successful---UTF8-encoding-now-ON.
172.16.1.221----143.166.170.10-------FTP------Request:-PWD
143.166.170.10--172.16.1.221---------FTP------Response:-257-/"-is-current-directory."
172.16.1.221----143.166.170.10-------FTP------Request:-CWD-/audio/
143.166.170.10--172.16.1.221---------FTP------Response:-250-CWD-command-successful.
172.16.1.221----143.166.170.10-------FTP------Request:-TYPE-I
143.166.170.10--172.16.1.221---------FTP------Response:-200-Type-set-to-I.
172.16.1.221----143.166.170.10-------FTP------Request:-PASV
143.166.170.10--172.16.1.221---------FTP------Response:-227-Entering-Passive-Mode-(143,166,170,10,216,198)
172.16.1.221----143.166.170.10-------TCP------57415->-55494--Seq=0-Win=8192-Len=0-MSS=1260-WS=2
172.16.1.221----143.166.170.10-------TCP------57414->-ftp--Seq=80-Ack=1261-Win=66780-Len=0
172.16.1.221----143.166.170.10-------TCP------57415->-55494--Seq=0-Win=8192-Len=0-MSS=1260-WS=2
172.16.1.221----143.166.170.10-------TCP------57415->-55494--Seq=0-Win=8192-Len=0-MSS=1260
172.16.1.221----143.166.83.24--------TCP------57402->-http--Seq=1-Ack=1-Win=0-Len=0
172.16.1.221----143.166.83.24--------TCP------57390->-http--Seq=1-Ack=1-Win=0-Len=0
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Does Aruba have problems with Passive FTP?

Is there a way to span the switchport that your internet-facing controller interface is connected to? If you see, using your previous example, the packet below egressing the controller and no corresponding SYN/ACK comes back, then you know it's not the controller that's causing the issue.

172.16.1.221----143.166.170.10-------TCP------57415->-55494--Seq=0-Win=8192-Len=0-MSS=1260-WS=2

This particular packet is your client trying to connect to the negotiated FTP server port, 55494, which is correct based on the numbers in the servers PASV response.
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Parts and Pieces

Alexwc4:

You have a number of parts here:

- You are Running ArubaOS 3.4
- You have an outbound ACL. Where is this applied?
- Is traffic from a wired, or wireless user?
- Are you using IP Nat inside on the VLAN that the user is on?
- If you are using IP NAT inside, you should not have to allow any traffic back in, it should just be stateful
- What kind of internet connection are you using, and does it contain a firewall as well, or is the Aruba controller truly the last firewall device in the mix?
- Does the Aruba Controller have a public IP address?
- Did passive FTP EVER work? (No, right?)

Based on the number of questions and the fact that you would have to reveal the details of your configuration to possibly get this resolved, I have to suggest that you open a case with support so that they can resolve it. Post your resolution back here when you get it fixed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎05-28-2009

Re: Does Aruba have problems with Passive FTP?

OK, sorry, I was out yesterday. here are my replies

- You are Running ArubaOS 3.4- Yes, but the problem existed in several earlier versions too.

- You have an outbound ACL. Where is this applied? - The internal port (LAN side) has that ACL to block SMTP in case of a spamming virus or malware.

- Is traffic from a wired, or wireless user? - same behavior for both

- Are you using IP Nat inside on the VLAN that the user is on? - Yes

- If you are using IP NAT inside, you should not have to allow any traffic back in, it should just be stateful - I agree, but I am trying to make something work and so I have explicitly allowed something that shouldn't need it.

- What kind of internet connection are you using, and does it contain a firewall as well, or is the Aruba controller truly the last firewall device in the mix? - a 10 mbs circuit (10 up 10 down) and the Aruba truly is THE firewall

- Does the Aruba Controller have a public IP address? - Yes

- Did passive FTP EVER work? (No, right?) - You are correct. No.

Based on the number of questions and the fact that you would have to reveal the details of your configuration to possibly get this resolved, I have to suggest that you open a case with support so that they can resolve it. Post your resolution back here when you get it fixed. - I will report. I was hoping to get a response like "Oh, didn't you know that for Passive FTP over Aruba the frangle has to be toggled off?" Plus, I would like to participate in this forum growing bigger and more useful to us all. Few people talk about using Aruba controllers as true firewalls, but they have AWESOME site to site Tunnel throughput with each other, decent rules and NAT ability, and are only short on easy monitoring of traffic.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Does Aruba have problems with Passive FTP?

Hi Alex,

Is there a user role being applied? I just tried the same server from here at corporate using IE as the client with no issue. I see the pasv command pass through on wireshark and am able to browse directories and download files following that occurrence.

It seems like either the a user role is being assigned that doesn't allow the user to complete this action or the user client is not behaving correctly.

I've attached my output.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Search Airheads
Showing results for 
Search instead for 
Did you mean: