803 access list for FTP transfers?

Discussion in 'Cisco' started by Peter, Dec 3, 2003.

  1. Peter

    Peter Guest

    I have an 803 which works fine for www/email with the following

    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq domain
    access-list 100 permit tcp any any eq nntp
    access-list 100 permit tcp any any eq smtp
    access-list 100 permit tcp any any eq pop3

    and I added the following to enable ftp

    access-list 100 permit tcp any any eq ftp
    access-list 100 permit tcp any any eq ftp-data
    access-list 100 permit tcp any eq ftp-data any

    which works but the hangup timer does not get reloaded.

    The following appears to have fixed that

    access-list 100 permit tcp any any established

    but now the router suffers from remaining online for very long periods
    due to some external traffic (perhaps port sniffers), even with no
    connection to its ethernet port.

    Can anyone suggest an access list which permits FTP (not passive mode)
    while reloading the router hangup timer correctly, while not leaving
    the router wide open?


    Peter.
     
    Peter, Dec 3, 2003
    #1
    1. Advertisements

  2. Peter, you're doing no one any favours by continually posting
    the same question.

    However, if the connection stays up, let the connection lie
    idle until you believe that it should go down, then run
    "sh dialer". This should give you some idea as to why the
    connection stays up.

    I can think of a few possibliities, virus, bad NAT mapping,
    your POP3 client running continually or possibly your
    Windows sending out its usual crap.


    B
     
    Bob { Goddard }, Dec 3, 2003
    #2
    1. Advertisements

  3. Peter

    Peter Guest

    Bob, I apologise. I just did that because sometimes a post isn't
    spotted by someone who knows the answer, before it drops off the
    server.
    I am b*****d now... Just tried it, and the router hangs up OK now,
    even following an FTP transfer. I will need to do more tests but I did
    write to the ISP; perhaps they've done something...
    The router stays online even with the ethernet cable unplugged, so it
    can't be the PC. This is why running a software ethernet analyser on
    the PC didn't reveal anything.


    Peter.
     
    Peter, Dec 3, 2003
    #3
  4. Which now sounds like you may be getting hit by
    the Welchia/Nachi worms - I can never remember their names.
    Your system may be running out of memory.
    Okay, but the "show dialer" will tell you who it is trying
    to contact.

    Hmm, I wonder what happens when logging is turned on,
    the router is set to resolve DNS via your ISP and
    connections attempts are made. I wonder if the routers
    DNS traffic is keeping the interface up?


    B
     
    Bob { Goddard }, Dec 3, 2003
    #4
  5. :>Peter, you're doing no one any favours by continually posting
    :>the same question.

    :Bob, I apologise. I just did that because sometimes a post isn't
    :spotted by someone who knows the answer, before it drops off the
    :server.

    There isn't just -one- news server, and each server decides for
    itself how long to store messages for each group. I believe it is
    several weeks for this newsgroup on the server I use. The die-hards
    that frequent this group are unlikely, I would think, to use a
    server with a retention period measured in days.
     
    Walter Roberson, Dec 3, 2003
    #5
  6. Peter

    Peter Guest

    Noted, thank you.
    I've just realised that when I changed the ISP from Netcom to Clara, I
    forgot to change this

    ip address 192.168.1.1 255.255.255.0

    so it is still using Netcom's nameserver.... will fix this.

    But despite my lack of knowledge in this area, I have wondered if the
    router does access something on the internet all by itself... I don't
    have any automatic router clock setting feature enabled but DNS is a
    possibility. I have Zonealarm installed (on an unrelated system) and
    it shows DNS lookups to the internet when printing locally over the
    LAN! This may be standard Windows behaviour, broadcasting all over the
    place looking for printers etc. When the router is offline, these
    don't cause it to go online (non-interesting traffic to the dialler)
    but once the router is already online then what goes out is limited
    only by the access lists (AIUI). None of this suprises me; I recently
    read that a large % of accesses to nameservers is for WORKGROUP :)

    As I say this isn't relevant when the PC is powered off or
    disconnected, but I wonder if something in the router gets triggered
    off by one of these spurious "windows chats" and after that the router
    is trying to access some nameserver, for a long time afterwards?


    Peter.
     
    Peter, Dec 3, 2003
    #6
  7. The router should only access the net by itself for 2 reasons,
    performing DNS lookups and for (S)NTP.
    This is quite possibly the cause.

    It may be time to post a sanitised config and the output of
    "show dialer".


    B
     
    Bob { Goddard }, Dec 3, 2003
    #7
  8. Peter

    Peter Guest

    Just realised... the above is a complete redherring - there isn't any
    need for a nameserver IP in the router (it is already configured in
    windows networking).


    Peter.
     
    Peter, Dec 3, 2003
    #8
  9. Peter

    Peter Guest

    I have done quite a bit of testing tonight, and have found the
    following, relative to the access list below

    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq domain
    access-list 100 permit tcp any any eq nntp
    access-list 100 permit tcp any any eq pop3
    access-list 100 permit tcp any any eq ftp
    access-list 100 permit tcp any eq ftp any *
    access-list 100 permit tcp any any eq ftp-data
    access-list 100 permit tcp any eq ftp-data any
    access-list 100 permit tcp any any established **

    * adding this one appears to make it work with ftp transfers, provided
    that each file transfers in less than the 200-sec dialer timeout

    ** adding this one is necessary for ftp transfers of *any* size (and
    also same for IE6 file downloads; presumably these use ftp also) BUT
    the router takes a lot longer to hang up after the end of the data
    (and this is not due to any PC activity)

    I have done 'sh dialer' but it shows nothing useful; only whatever
    brought up the line initially. There must be a more detailed debug
    mode... This debug does show the remaining timer value so I can see
    when it gets reloaded with '200', and Etherreal shows nothing on the
    PC at this time, so whatever is causing the router to reload its timer
    is not coming from the PC (at that moment).

    But it appears that even with the ** line, the router hangs up
    eventually, typically in 5-10 mins rather than 200 secs. I think I
    will leave it now; this has taken far too many evenings.

    If ** proves to be a real problem (basically if I run over my 120hr
    Clara monthly time limit due to this) then I will remove the ** line
    and use a little .htm prog I have which hits www.google.com every 100
    seconds and run that during any ftp ops :)

    I have written to Cisco, but nowadays none of these products are
    supported.


    Peter.
     
    Peter, Dec 3, 2003
    #9
  10. It shouldn't unless you have someone outside trying
    This is required because passive ftp uses emphemeral ports
    and the only reliable way for this traffic to keep the line
    up is to test for the ACK bit.
    "Dammit Janet" - It's been a while since I've used dialup.
    There should be something under "debug dialer" that you
    can use.
    A simple ping could be used as well if you add
    access-list 100 permit icmp any any echo

    What can I say, except if you can, go ADSL.


    B
     
    Bob { Goddard }, Dec 3, 2003
    #10
  11. Peter

    Peter Guest

    I am not using Passive Mode.
    Yes, in fact using a very short timeout, e.g. 10 secs, would have been
    a solution to the original external sniffing (or whatever it was)
    problem. The downside of that is that with a dynamic IP, your IP keeps
    changing through perhaps a single www browsing session...
    Oddly enough I can ping www.cisco.com already
    I can't - in a village and so far only about 40 people have signed up
    for it.

    The bizzare thing is that I had no problem with the previous ISP; the
    router would hang up perfectly every time...

    Thanks Bob for all your help so far... my g/f is looking at a Linksys
    54k ADSL->wifi router and is quite horrified at my problems with
    router config. But then on ADSL she would never notice... I bet they
    come configured wide-open; if they didn't, nobody could handle the
    tech support.



    Peter.
     
    Peter, Dec 4, 2003
    #11
  12. Peter

    Peter Guest

    More info obtained from RS232-attached terminal:

    command: debug dialer packets

    shows the following with the PC connected via ethernet (and this did
    extend the dialler timeout, as expected):
    Then I UNplugged the ethernet cable from the router and saw this
    The last 3 lines reloaded the dialler timeout. What are these 40-byte
    packets?


    Peter.
     
    Peter, Dec 4, 2003
    #12
  13. Peter

    Peter Guest

    then I did this:


    Peter.
     
    Peter, Dec 4, 2003
    #13
  14. Peter

    Peter Guest

    Later, the 2nd IP changed to one which could be traced, and the debug
    showed
    so these 40-byte packets are going from Clara to Clara!


    Peter.
     
    Peter, Dec 4, 2003
    #14
  15. TCP resete perhaps. If the 92 byte packet is a ping response, then
    217.158.132.1 might try to connect with tcp and the router sends resets
    because it isn't listening.

    I thought you could match the tcp flags in an ACL and maybe make resets
    uninteresting, but a quick check didn't show me how. Otherwise, block
    icmp echo inbound, assuming you haven't already. In which case, I'm
    blowing smoke.
     
    Martin Gallagher, Dec 5, 2003
    #15
  16. Peter

    Peter Guest

    What would be the syntax for that?


    Peter.
     
    Peter, Dec 5, 2003
    #16
  17. Martin Gallagher, Dec 6, 2003
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.