Security, WIDS/WIPS and Aruba ECS

Reply
Highlighted
Occasional Contributor I

Follow up from Aruba support

:(

Subject: RE: Passive FTP not working / Ticket # T-59818

Hi Alex,

When an Aruba controller is used as a gateway device where all inside traffic is natted to an external interface or when we do a dst nat on traffic passive ftp does not work.

A test was done on this and found that when we change our network design so that the client vlan on aruba controller is not configured for source nat or destinatation nat the passive ftp works but it does not work when the source nat or destination nat is enabled on the client vlan.

Regarding the ETA of this feature I am in contact with your Engineering team confirm the same. I see that the feature request is set to immediate.
Highlighted
Moderator

Re: Does Aruba have problems with Passive FTP?

So the outcome, if I successfully parse that response you got, is that NAT breaks passive FTP? I wonder why...
---
Jon Green, ACMX, CISSP, CISM, and a bunch of other acronyms
Aruba Security CTO
Highlighted
Moderator

Re: Does Aruba have problems with Passive FTP?

FYI Engineering is looking into this further. According to the source code, this is supposed to work properly.
---
Jon Green, ACMX, CISSP, CISM, and a bunch of other acronyms
Aruba Security CTO
Highlighted
Moderator

Re: Does Aruba have problems with Passive FTP?

Engineering has confirmed that there's a bug. It seems to be related to the "ip nat inside" function. I didn't get any information on when they might get it fixed.

A suggestion for you to try is to use ACL-based NAT instead of the automatic "ip nat inside". In other words, create a session ACL and apply it in the appropriate place, and use a rule such as:

ip nat pool nat-pool-1 172.16.1.1 172.16.1.1
network 192.168.1.0 255.255.255.0 any any src-nat pool nat-pool-1

This would have the effect of NATing all 192.168.1.0 traffic to a single public address of 172.16.1.1.

-Jon
---
Jon Green, ACMX, CISSP, CISM, and a bunch of other acronyms
Aruba Security CTO
Highlighted
Occasional Contributor I

Recreating NAT Inside with ACL

Hey Jon, I was skeptical, but that seems to have worked. I did a "no ip nat inside" on the VLAN and used a NAT pool with src-nat on the acl and my users got Dell's Download manager (Passive FTP) to work! Thanks for your follow up comments. :)
Highlighted
Moderator

Re: Does Aruba have problems with Passive FTP?

BTW the bug has been fixed - the bug ID is 36600 in case you're interested. I asked TAC to follow up with you to see if you need the fix in a patch, though it sounds like you got it working in the meantime.
---
Jon Green, ACMX, CISSP, CISM, and a bunch of other acronyms
Aruba Security CTO
Highlighted
Occasional Contributor I

patch for passive FTP

So is the fix incorporated in 3.3.2.20? I didn't see it in the notes and 3.4 doesn't have a 9-4-2009 release.
Highlighted
Occasional Contributor II

Re: Does Aruba have problems with Passive FTP?

Does anyone know which versions exactly have this fix? (ie/ 3.3.X.X?)

I'm trying to port-forward passive FTP through a controller (which is the firewall) and am running into this same issue.

My packet traces show the passive FTP connections are running into 'something' and getting reset after the SYN-ACK. Telneting directly to the port shows the port-forward works just fine.

I'm going to try the NAT ACL trick shown above, but ideally i'd like to just update the firmware.
Highlighted
Occasional Contributor II

Re: Does Aruba have problems with Passive FTP?

I've just tried the NAT ACL trick under 3.3.1.21, and it does not solve the issue.

However, this may be a little different as i'm port-forwarding instead of just natting.
Also, I applied the session ACL to the port, as I can't assign this to a VLAN using 3.3.1.X.
Regular Contributor I

Re: Does Aruba have problems with Passive FTP?

hi there

MC800 with AOS 3.4.2.5 ,

Controller has one IF with external_ISP IP , that's used for guest-voucher access.

guest-inital-role kept quite default, with CP logon
authenticated guests are having the guest-role with following policies:

guest-weblogout-popup-window:
any mswitch svc-https permit

deny-private-Subnets:
any 10.0.0.0 255.0.0.0 any deny
any 172.16.0.0 255.240.0.0 any deny
any 192.168.0.0 255.255.0.0 any deny
user host 217.xxx.xxx.xxx any deny (external IF IP, for denying any attempts to connect)

allow-any-guest:
192.168.111.0 255.255.255.0 any svc-ftp permit
192.168.111.0 255.255.255.0 any any permit

Some Specs about the environment, just a cheap extra VLAN for the guests, called 192.168.111.0/24 , running dhcp on the ArubaMC , giving out ip of the range and the external ISP-DNS servers to the dhcp-clients.

i wonder about some annoying "delay" until some ftp-download is starting. in this case i can repeat the behaviour on every ftp-client , the connection method there is "Active PORT" , until a short delay the download is starting.

if i change ftp-client to PASV-mode , then also some delay and laters "data socket error, connection timed out".


i think i have to tweak my MC with one of those nice ideas above in the thread i just wanted to make sure my policies are proper, what do you think?
for PASV mode for sure i have to change, i will checkout this thread again, but what about this annoying delay on Active-PORT/Mode connection?

regards
ben
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: