803 access list for FTP transfers?

Discussion in 'Cisco' started by Peter, Dec 3, 2003.

  1. Peter

    Peter Guest

    I have an 803 which works fine for www/email with the following

    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq domain
    access-list 100 permit tcp any any eq nntp
    access-list 100 permit tcp any any eq smtp
    access-list 100 permit tcp any any eq pop3

    and I added the following to enable ftp

    access-list 100 permit tcp any any eq ftp
    access-list 100 permit tcp any any eq ftp-data
    access-list 100 permit tcp any eq ftp-data any

    which works but the hangup timer does not get reloaded.

    The following appears to have fixed that

    access-list 100 permit tcp any any established

    but now the router suffers from remaining online for very long periods
    due to some external traffic (perhaps port sniffers), even with no
    connection to its ethernet port.

    Can anyone suggest an access list which permits FTP (not passive mode)
    while reloading the router hangup timer correctly, while not leaving
    the router wide open?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 3, 2003
    #1
    1. Advertising

  2. Peter wrote:

    > I have an 803 which works fine for www/email with the following
    >
    > access-list 100 permit tcp any any eq www
    > access-list 100 permit udp any any eq domain
    > access-list 100 permit tcp any any eq domain
    > access-list 100 permit tcp any any eq nntp
    > access-list 100 permit tcp any any eq smtp
    > access-list 100 permit tcp any any eq pop3
    >
    > and I added the following to enable ftp
    >
    > access-list 100 permit tcp any any eq ftp
    > access-list 100 permit tcp any any eq ftp-data
    > access-list 100 permit tcp any eq ftp-data any
    >
    > which works but the hangup timer does not get reloaded.
    >
    > The following appears to have fixed that
    >
    > access-list 100 permit tcp any any established
    >
    > but now the router suffers from remaining online for very long periods
    > due to some external traffic (perhaps port sniffers), even with no
    > connection to its ethernet port.
    >
    > Can anyone suggest an access list which permits FTP (not passive mode)
    > while reloading the router hangup timer correctly, while not leaving
    > the router wide open?


    Peter, you're doing no one any favours by continually posting
    the same question.

    However, if the connection stays up, let the connection lie
    idle until you believe that it should go down, then run
    "sh dialer". This should give you some idea as to why the
    connection stays up.

    I can think of a few possibliities, virus, bad NAT mapping,
    your POP3 client running continually or possibly your
    Windows sending out its usual crap.


    B

    --
    http://www.mailtrap.org.uk/
    http://www.ibrox.demon.co.uk/
     
    Bob { Goddard }, Dec 3, 2003
    #2
    1. Advertising

  3. Peter

    Peter Guest

    Bob { Goddard } <> wrote:

    >Peter, you're doing no one any favours by continually posting
    >the same question.


    Bob, I apologise. I just did that because sometimes a post isn't
    spotted by someone who knows the answer, before it drops off the
    server.

    >However, if the connection stays up, let the connection lie
    >idle until you believe that it should go down, then run
    >"sh dialer". This should give you some idea as to why the
    >connection stays up.


    I am b*****d now... Just tried it, and the router hangs up OK now,
    even following an FTP transfer. I will need to do more tests but I did
    write to the ISP; perhaps they've done something...

    >I can think of a few possibliities, virus, bad NAT mapping,
    >your POP3 client running continually or possibly your
    >Windows sending out its usual crap.


    The router stays online even with the ethernet cable unplugged, so it
    can't be the PC. This is why running a software ethernet analyser on
    the PC didn't reveal anything.


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 3, 2003
    #3
  4. Peter wrote:

    >
    > Bob { Goddard } <> wrote:
    >
    >>Peter, you're doing no one any favours by continually posting
    >>the same question.

    >
    > Bob, I apologise. I just did that because sometimes a post isn't
    > spotted by someone who knows the answer, before it drops off the
    > server.
    >
    >>However, if the connection stays up, let the connection lie
    >>idle until you believe that it should go down, then run
    >>"sh dialer". This should give you some idea as to why the
    >>connection stays up.

    >
    > I am b*****d now... Just tried it, and the router hangs up OK now,
    > even following an FTP transfer. I will need to do more tests but I did
    > write to the ISP; perhaps they've done something...


    Which now sounds like you may be getting hit by
    the Welchia/Nachi worms - I can never remember their names.
    Your system may be running out of memory.

    >>I can think of a few possibliities, virus, bad NAT mapping,
    >>your POP3 client running continually or possibly your
    >>Windows sending out its usual crap.

    >
    > The router stays online even with the ethernet cable unplugged, so it
    > can't be the PC. This is why running a software ethernet analyser on
    > the PC didn't reveal anything.


    Okay, but the "show dialer" will tell you who it is trying
    to contact.

    Hmm, I wonder what happens when logging is turned on,
    the router is set to resolve DNS via your ISP and
    connections attempts are made. I wonder if the routers
    DNS traffic is keeping the interface up?


    B

    --
    http://www.mailtrap.org.uk/
    http://www.ibrox.demon.co.uk/
     
    Bob { Goddard }, Dec 3, 2003
    #4
  5. In article <>,
    Peter <> wrote:
    :>Peter, you're doing no one any favours by continually posting
    :>the same question.

    :Bob, I apologise. I just did that because sometimes a post isn't
    :spotted by someone who knows the answer, before it drops off the
    :server.

    There isn't just -one- news server, and each server decides for
    itself how long to store messages for each group. I believe it is
    several weeks for this newsgroup on the server I use. The die-hards
    that frequent this group are unlikely, I would think, to use a
    server with a retention period measured in days.
    --
    Cottleston, Cottleston, Cottleston pie.
    A bird can't whistle and neither can I. -- Pooh
     
    Walter Roberson, Dec 3, 2003
    #5
  6. Peter

    Peter Guest

    Bob { Goddard } <> wrote

    >Okay, but the "show dialer" will tell you who it is trying
    >to contact.


    Noted, thank you.

    >Hmm, I wonder what happens when logging is turned on,
    >the router is set to resolve DNS via your ISP and
    >connections attempts are made. I wonder if the routers
    >DNS traffic is keeping the interface up?


    I've just realised that when I changed the ISP from Netcom to Clara, I
    forgot to change this

    ip address 192.168.1.1 255.255.255.0

    so it is still using Netcom's nameserver.... will fix this.

    But despite my lack of knowledge in this area, I have wondered if the
    router does access something on the internet all by itself... I don't
    have any automatic router clock setting feature enabled but DNS is a
    possibility. I have Zonealarm installed (on an unrelated system) and
    it shows DNS lookups to the internet when printing locally over the
    LAN! This may be standard Windows behaviour, broadcasting all over the
    place looking for printers etc. When the router is offline, these
    don't cause it to go online (non-interesting traffic to the dialler)
    but once the router is already online then what goes out is limited
    only by the access lists (AIUI). None of this suprises me; I recently
    read that a large % of accesses to nameservers is for WORKGROUP :)

    As I say this isn't relevant when the PC is powered off or
    disconnected, but I wonder if something in the router gets triggered
    off by one of these spurious "windows chats" and after that the router
    is trying to access some nameserver, for a long time afterwards?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 3, 2003
    #6
  7. Peter wrote:

    >
    > Bob { Goddard } <> wrote
    >
    >>Okay, but the "show dialer" will tell you who it is trying
    >>to contact.

    >
    > Noted, thank you.
    >
    >>Hmm, I wonder what happens when logging is turned on,
    >>the router is set to resolve DNS via your ISP and
    >>connections attempts are made. I wonder if the routers
    >>DNS traffic is keeping the interface up?

    >
    > I've just realised that when I changed the ISP from Netcom to Clara, I
    > forgot to change this
    >
    > ip address 192.168.1.1 255.255.255.0
    >
    > so it is still using Netcom's nameserver.... will fix this.
    >
    > But despite my lack of knowledge in this area, I have wondered if the
    > router does access something on the internet all by itself... I don't
    > have any automatic router clock setting feature enabled but DNS is a
    > possibility. [...]


    The router should only access the net by itself for 2 reasons,
    performing DNS lookups and for (S)NTP.

    > As I say this isn't relevant when the PC is powered off or
    > disconnected, but I wonder if something in the router gets triggered
    > off by one of these spurious "windows chats" and after that the router
    > is trying to access some nameserver, for a long time afterwards?


    This is quite possibly the cause.

    It may be time to post a sanitised config and the output of
    "show dialer".


    B

    --
    http://www.mailtrap.org.uk/
    http://www.ibrox.demon.co.uk/
     
    Bob { Goddard }, Dec 3, 2003
    #7
  8. Peter

    Peter Guest

    Peter <> wrote

    >I've just realised that when I changed the ISP from Netcom to Clara, I
    >forgot to change this
    >
    > ip address 192.168.1.1 255.255.255.0


    Just realised... the above is a complete redherring - there isn't any
    need for a nameserver IP in the router (it is already configured in
    windows networking).


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 3, 2003
    #8
  9. Peter

    Peter Guest

    I have done quite a bit of testing tonight, and have found the
    following, relative to the access list below

    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq domain
    access-list 100 permit tcp any any eq nntp
    access-list 100 permit tcp any any eq pop3
    access-list 100 permit tcp any any eq ftp
    access-list 100 permit tcp any eq ftp any *
    access-list 100 permit tcp any any eq ftp-data
    access-list 100 permit tcp any eq ftp-data any
    access-list 100 permit tcp any any established **

    * adding this one appears to make it work with ftp transfers, provided
    that each file transfers in less than the 200-sec dialer timeout

    ** adding this one is necessary for ftp transfers of *any* size (and
    also same for IE6 file downloads; presumably these use ftp also) BUT
    the router takes a lot longer to hang up after the end of the data
    (and this is not due to any PC activity)

    I have done 'sh dialer' but it shows nothing useful; only whatever
    brought up the line initially. There must be a more detailed debug
    mode... This debug does show the remaining timer value so I can see
    when it gets reloaded with '200', and Etherreal shows nothing on the
    PC at this time, so whatever is causing the router to reload its timer
    is not coming from the PC (at that moment).

    But it appears that even with the ** line, the router hangs up
    eventually, typically in 5-10 mins rather than 200 secs. I think I
    will leave it now; this has taken far too many evenings.

    If ** proves to be a real problem (basically if I run over my 120hr
    Clara monthly time limit due to this) then I will remove the ** line
    and use a little .htm prog I have which hits www.google.com every 100
    seconds and run that during any ftp ops :)

    I have written to Cisco, but nowadays none of these products are
    supported.


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 3, 2003
    #9
  10. Peter wrote:

    > I have done quite a bit of testing tonight, and have found the
    > following, relative to the access list below
    >
    > access-list 100 permit tcp any any eq www
    > access-list 100 permit udp any any eq domain
    > access-list 100 permit tcp any any eq domain
    > access-list 100 permit tcp any any eq nntp
    > access-list 100 permit tcp any any eq pop3
    > access-list 100 permit tcp any any eq ftp
    > access-list 100 permit tcp any eq ftp any *
    > access-list 100 permit tcp any any eq ftp-data
    > access-list 100 permit tcp any eq ftp-data any
    > access-list 100 permit tcp any any established **
    >
    > * adding this one appears to make it work with ftp transfers, provided
    > that each file transfers in less than the 200-sec dialer timeout


    It shouldn't unless you have someone outside trying
    to ftp to inside your network. Think "<SRC>" "<DST>". Remove it.
    It's the line before which makes it work with FTP.

    > ** adding this one is necessary for ftp transfers of *any* size (and
    > also same for IE6 file downloads; presumably these use ftp also) BUT
    > the router takes a lot longer to hang up after the end of the data
    > (and this is not due to any PC activity)


    This is required because passive ftp uses emphemeral ports
    and the only reliable way for this traffic to keep the line
    up is to test for the ACK bit.

    > I have done 'sh dialer' but it shows nothing useful; only whatever
    > brought up the line initially.


    "Dammit Janet" - It's been a while since I've used dialup.
    There should be something under "debug dialer" that you
    can use.

    > But it appears that even with the ** line, the router hangs up
    > eventually, typically in 5-10 mins rather than 200 secs. I think I
    > will leave it now; this has taken far too many evenings.


    If you want it shorter then modify "dialer idle-timeout <#>" unless
    you already have.

    > If ** proves to be a real problem (basically if I run over my 120hr
    > Clara monthly time limit due to this) then I will remove the ** line
    > and use a little .htm prog I have which hits www.google.com every 100
    > seconds and run that during any ftp ops :)


    A simple ping could be used as well if you add
    access-list 100 permit icmp any any echo

    What can I say, except if you can, go ADSL.


    B

    --
    http://www.mailtrap.org.uk/
    http://www.ibrox.demon.co.uk/
     
    Bob { Goddard }, Dec 3, 2003
    #10
  11. Peter

    Peter Guest

    Bob { Goddard } <> wrote

    >This is required because passive ftp uses emphemeral ports
    >and the only reliable way for this traffic to keep the line
    >up is to test for the ACK bit.


    I am not using Passive Mode.

    >If you want it shorter then modify "dialer idle-timeout <#>" unless
    >you already have.


    Yes, in fact using a very short timeout, e.g. 10 secs, would have been
    a solution to the original external sniffing (or whatever it was)
    problem. The downside of that is that with a dynamic IP, your IP keeps
    changing through perhaps a single www browsing session...

    >> If ** proves to be a real problem (basically if I run over my 120hr
    >> Clara monthly time limit due to this) then I will remove the ** line
    >> and use a little .htm prog I have which hits www.google.com every 100
    >> seconds and run that during any ftp ops :)

    >
    >A simple ping could be used as well if you add
    >access-list 100 permit icmp any any echo


    Oddly enough I can ping www.cisco.com already

    >What can I say, except if you can, go ADSL.


    I can't - in a village and so far only about 40 people have signed up
    for it.

    The bizzare thing is that I had no problem with the previous ISP; the
    router would hang up perfectly every time...

    Thanks Bob for all your help so far... my g/f is looking at a Linksys
    54k ADSL->wifi router and is quite horrified at my problems with
    router config. But then on ADSL she would never notice... I bet they
    come configured wide-open; if they didn't, nobody could handle the
    tech support.



    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 4, 2003
    #11
  12. Peter

    Peter Guest

    More info obtained from RS232-attached terminal:

    command: debug dialer packets

    shows the following with the PC connected via ethernet (and this did
    extend the dialler timeout, as expected):

    >23:14:27: Di1 DDR: ip (s=217.158.156.124, d=217.158.170.56), 40 bytes, outgoing interesting (list 100)


    Then I UNplugged the ethernet cable from the router and saw this

    >23:19:15: BR0 DDR: cdp, 307 bytes, outgoing uninteresting (no dialer-group defined)
    >23:19:15: BR0 DDR: sending broadcast to default destination -- failed, not connected
    >23:19:15: Di1 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
    >23:19:15: Di2 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
    >23:20:15: BR0 DDR: cdp, 307 bytes, outgoing uninteresting (no dialer-group defined)
    >23:20:15: BR0 DDR: sending broadcast to default destination -- failed, not connected
    >23:20:15: Di1 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
    >23:20:15: Di2 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
    >23:21:15: BR0 DDR: cdp, 307 bytes, outgoing uninteresting (no dialer-group defined)
    >23:21:15: BR0 DDR: sending broadcast to default destination -- failed, not connected
    >23:21:15: Di1 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
    >23:21:15: Di2 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
    >23:21:39: Di1 DDR: ip (s=217.158.156.42, d=217.158.117.119), 92 bytes, outgoing uninteresting (list 100)
    >23:21:41: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 92 bytes, outgoing uninteresting (list 100)
    >23:21:42: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
    >23:21:44: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
    >23:21:49: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)


    The last 3 lines reloaded the dialler timeout. What are these 40-byte
    packets?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 4, 2003
    #12
  13. Peter

    Peter Guest

    Peter <> wrote

    >The last 3 lines reloaded the dialler timeout. What are these 40-byte
    >packets?


    then I did this:

    >c:\>tracert 217.158.156.42
    >
    >Tracing route to du-069-0551.access.clara.net [217.158.156.42]
    >over a maximum of 30 hops:
    >
    > 1 <10 ms <10 ms <10 ms du-069-0551.access.clara.net [217.158.156.42]
    >
    >Trace complete.
    >
    >c:\>tracert 217.158.132.1
    >
    >Tracing route to du-069-0001.access.clara.net [217.158.132.1]
    >over a maximum of 30 hops:
    >
    > 1 <10 ms <10 ms <10 ms 10.100.101.254
    > 2 31 ms 32 ms 47 ms fe-0-0-telee-ishmael.router.clara.net [213.253.16.69]
    > 3 * * * Request timed out.
    > 4 * * * Request timed out.
    > 5 * * * Request timed out.
    > 6 * * * Request timed out.
    > 7 * * * Request timed out.
    > 8 * * * Request timed out.
    > 9 * * * Request timed out.
    > 10 * * * Request timed out.
    > 11 * * * Request timed out.
    > 12 * * * Request timed out.
    > 13 * * * Request timed out.
    > 14 * * ^C
    >c:\>ping 217.158.132.1
    >
    >Pinging 217.158.132.1 with 32 bytes of data:
    >
    >Request timed out.
    >Request timed out.
    >Request timed out.
    >Request timed out.
    >
    >Ping statistics for 217.158.132.1:
    > Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    >Approximate round trip times in milli-seconds:
    > Minimum = 0ms, Maximum = 0ms, Average = 0ms
    >
    >c:\>




    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 4, 2003
    #13
  14. Peter

    Peter Guest

    Later, the 2nd IP changed to one which could be traced, and the debug
    showed

    >23:30:23: Di1 DDR: ip (s=217.158.156.42, d=217.158.106.204), 40 bytes, outgoing interesting (list 100)
    >23:30:30: Di1 DDR: ip (s=217.158.156.42, d=217.158.106.204), 40 bytes, outgoing interesting (list 100)
    >
    >c:\>tracert 217.158.106.204
    >
    >Tracing route to adsl-solo-106-204.claranet.co.uk [217.158.106.204]
    >over a maximum of 30 hops:
    >
    > 1 <10 ms <10 ms <10 ms 10.100.101.254
    > 2 31 ms 47 ms 47 ms fe-0-0-telee-ishmael.router.clara.net [213.253.16.69]
    > 3 31 ms 47 ms 47 ms ge-1-0-0-telee-tashtego.router.clara.net [213.253.16.66]
    > 4 32 ms 46 ms * adsl-1.uk.clara.net [195.8.68.236]
    > 5 47 ms 31 ms 47 ms 217.41.128.105
    > 6 46 ms 32 ms 47 ms 217.41.128.3
    > 7 47 ms 63 ms 62 ms adsl-solo-106-204.claranet.co.uk [217.158.106.204]


    so these 40-byte packets are going from Clara to Clara!


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 4, 2003
    #14
  15. On Thu, 04 Dec 2003 19:33:15 +0000, Peter wrote:

    >>23:21:41: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 92 bytes, outgoing uninteresting (list 100)
    >>23:21:42: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
    >>23:21:44: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
    >>23:21:49: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)

    >
    > The last 3 lines reloaded the dialler timeout. What are these 40-byte
    > packets?
    >


    TCP resete perhaps. If the 92 byte packet is a ping response, then
    217.158.132.1 might try to connect with tcp and the router sends resets
    because it isn't listening.

    I thought you could match the tcp flags in an ACL and maybe make resets
    uninteresting, but a quick check didn't show me how. Otherwise, block
    icmp echo inbound, assuming you haven't already. In which case, I'm
    blowing smoke.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Dec 5, 2003
    #15
  16. Peter

    Peter Guest

    "Martin Gallagher" <> wrote:

    >Otherwise, block
    >icmp echo inbound, assuming you haven't already.


    What would be the syntax for that?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 5, 2003
    #16
  17. Martin Gallagher, Dec 6, 2003
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joe Bloe
    Replies:
    2
    Views:
    2,737
    jankemi(remove)
    Jul 24, 2003
  2. Peter
    Replies:
    0
    Views:
    436
    Peter
    Dec 1, 2003
  3. PS2 gamer
    Replies:
    6
    Views:
    7,150
    Hansang Bae
    Jun 9, 2004
  4. Mike Easter

    Why can't I access ftp://ftp.isc.org/ ?

    Mike Easter, Mar 14, 2007, in forum: Computer Support
    Replies:
    10
    Views:
    963
    Vanguard
    Mar 15, 2007
  5. Giuen
    Replies:
    0
    Views:
    1,261
    Giuen
    Sep 12, 2008
Loading...

Share This Page