cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ftp outbound on meraki mx

Here to help

ftp outbound on meraki mx

Hi,

I replaced old cisco pix 520 with a meraki 400. Some firewall rules that worked correctly before now have problems.
For example, a firewall rule that allows some internal ip access in ftp to some external servers does not work properly. to have no problems I had to give access to all the ports (any). I thought that the problems related to ftp are only in inbound rules. What other ports should be opened to correctly use outbound ftp?

Thank

Regards

5 REPLIES 5
Head in the Cloud

Re: ftp outbound on meraki mx

You should not have to explicitly allow anything outbound.

 

Have you seen this?

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Conf...

 

 

Here to help

Re: ftp outbound on meraki mx

hi,

Maybe I didn't explain myself. I need to create an outbond rule that allows some internal ip to connect to some ftp servers but not use any other outgoing protocol.

 

example

Annotazione 2019-11-06 232624.jpg

 

the problem that opening only the ftp port 21 does not work.

Regards

 
 

 

 
Kind of a big deal

Re: ftp outbound on meraki mx

Are you connecting to active or passive FTP servers? If you're not sure, you need both 20 and 21.

 

Just to check, you're using regular FTP and not SFTP? Because if SFTP, you'll need 22 as well.

Kind of a big deal

Re: ftp outbound on meraki mx

If you are connecting to a passive mode FTP server:

  • The client connects out on port 21.
  • The client sends a PASV command and the server responds with a port on its side.
  • The client connects out on the returned port from a random port.

If you are connecting to an active mode server:

  • The client connects out on port 21.
  • The client sends a "port" command to say it is listening on a specific port for data.
  • The server then connects back to the client from its port 20 to the port the client specified

 

The MX NAT will correctly fix up NAT for active mode connections to allow the return traffic.  Passive mode does not require any fixups.

The MX wont correct any outbound firewall rules you have created to explicitly block traffic.

 

 

If you create a default "deny all" rule limiting outbound traffic then you'll probably want to create a simple "permit ip any host x.x.x.x" style rule to the specific FTP server the users need to connect to.

 

Here to help

Re: ftp outbound on meraki mx

Hi, thank for answer.


First consideration puzzles me that a 15-year-old device has features (ftp fixup, object group) that do not exist on a current product.
For the problem in question if instead of deny any any I put a deny of the different subnets to any fixup is applied?

Best regards

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.