topic Cannot transfer the file to the ftp server which is behind ASA 5510 in Network Security

Cannot transfer the file to the ftp server which is behind ASA 5510

Anand Narayana — Mon, 11 Mar 2019 09:38:00 GMT

Hi,

configured ASA for allowing ftp requests to my ftp server residing behind the ASA,problem is when a internet client is doing ftp to the ftp server, he can able to connect, but he can't able to transfer the files after few seconds i get a message displaying "connection closed by remote host" how do i solve this? problem also happens when i issue DIR or LS command after logging in to the ftp server.

Re: Cannot transfer the file to the ftp server which is behind A

vitripat — Sat, 24 Feb 2007 12:13:47 GMT

It seems that you done have FTP inspection enabled on your ASA. Assuming that you are using default settings, please implement following commands on ASA-

(all commands are to be executed in config mode)

class-map inspection_default

match default-inspection-traffic

exit

policy-map global_policy

class inspection_default

inspect ftp

exit

service-policy global_policy global

Now check if FTP works. If it does, save the configuration. If the issue remains, please provide the output for-

show service-policy

show run policy-map

If possible, syslogs.

Regards,

Vibhor

Re: Cannot transfer the file to the ftp server which is behind A

Anand Narayana — Sat, 24 Feb 2007 14:23:41 GMT

NO Use, it didn't work, still the same probs.

Re: Cannot transfer the file to the ftp server which is behind A

jmia — Sat, 24 Feb 2007 15:14:55 GMT

Take a look here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

Hope it helps...

Jay

Re: Cannot transfer the file to the ftp server which is behind A

Anand Narayana — Sat, 24 Feb 2007 16:56:34 GMT

Hi Thanks for your response,

actually i was trying from windows xp/2000 laptop, that is the reason i was facing this probs, when i tried in a BSd box it works fine being a "passive ftp" is enabled default. but still i couldn't understand why in windows xp/2000 i couldn't find the "passive" command. any idea? i was also informed by 1 of my friend that in windows box, if i issue "litral passive" he said that it would allow, but no use of that command, as it said it is invalid command.

Re: Cannot transfer the file to the ftp server which is behind A

daviddtran — Sat, 24 Feb 2007 20:37:07 GMT

In Unix/Linux, after ftp logging, you can issue

the command "passive" to either turn on or turn

off passive ftp as below:

# cd /tmp

# ftp 192.168.15.10

Connected to 192.168.15.10.

220 (vsFTPd 1.2.0)

Name (192.168.15.10:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode off.

ftp> hash

Hash mark printing on (8192 bytes/hash mark).

ftp> passive

Passive mode on.

ftp> passive

Passive mode off.

ftp>

-------------------

On Microsoft Windows, it works a differently.

After logging in, you can issue the command

"literal pasv". That will take you to

passive mode.

C:\temp>ftp 192.168.15.10

Connected to 192.168.15.10.

220 (vsFTPd 1.2.0)

User (192.168.15.10:(none)): anonymous

331 Please specify the password.

Password:

230 Login successful.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode Off .

ftp> hash

Hash mark printing On ftp: (2048 bytes/hash mark) .

ftp> literal pasv

227 Entering Passive Mode (192,168,15,10,4,253)

ftp>

good luck

David

CCIE Security

Re: Cannot transfer the file to the ftp server which is behind A

Anand Narayana — Sun, 25 Feb 2007 11:25:29 GMT

Hi David,

thanks for your response, even i tried the same & the command also accepted, but still the same probz, but when i tried ina GUI ftp client it is working being an Passive FTP. but no idea still why it is not working.

Re: Cannot transfer the file to the ftp server which is behind A

daviddtran — Sun, 25 Feb 2007 14:31:56 GMT

hi anandanarayana,

I think it is a bug in windows ftp client itself. When you think you set the windows

ftp client from the CLI to passive ftp, it is

still doing "Active" ftp. Check out the

tcpdump below from Linux FTP server itself:

--------------

C:\temp>ftp 192.168.15.10

Connected to 192.168.15.10.

220 (vsFTPd 1.2.0)

User (192.168.15.10:(none)): anonymous

331 Please specify the password.

Password:

230 Login successful.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode Off .

ftp> hash

Hash mark printing On ftp: (2048 bytes/hash mark) .

ftp> literal pasv

227 Entering Passive Mode (192,168,15,10,5,50)

ftp> get Winkey.exe

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for Winkey.exe (43520 bytes).

#####################

226 File send OK.

ftp: 43520 bytes received in 0.00Seconds 43520000.00Kbytes/sec.

ftp> quit

221 Goodbye.

C:\temp>

--------------------

[root@dca2-LinuxES ftp]# tcpdump -i eth0 -n host 129.174.1.13

tcpdump: listening on eth0

10:26:58.104416 129.174.1.13.2668 > 192.168.15.10.ftp: S 1268059330:1268059330(0) win 64512 (DF)

10:26:58.104540 192.168.15.10.ftp > 129.174.1.13.2668: S 2901538155:2901538155(0) ack 1268059331 win 5840 (DF)

10:26:58.105335 129.174.1.13.2668 > 192.168.15.10.ftp: . ack 1 win 64512 (DF)

10:26:58.109962 192.168.15.10.ftp > 129.174.1.13.2668: P 1:21(20) ack 1 win 5840 (DF)

10:27:09.185283 129.174.1.13.2668 > 192.168.15.10.ftp: P 65:82(17) ack 208 win 64305 (DF)

10:27:09.185748 192.168.15.10.ftp-data > 129.174.1.13.2670: S 2914151128:2914151128(0) win 5840 (DF)

10:27:09.186629 129.174.1.13.2670 > 192.168.15.10.ftp-data: S 3044473740:3044473740(0) ack 2914151129 win 64512 (DF)

10:27:09.186702 192.168.15.10.ftp-data > 129.174.1.13.2670: . ack 1 win 5840 (DF)

10:27:09.186928 192.168.15.10.ftp > 129.174.1.13.2668: P 208:279(71) ack 82 win 5840 (DF)

10:27:09.187040 192.168.15.10.ftp-data > 129.174.1.13.2670: . 1:1449(1448) ack 1 win 5840 (DF) [tos 0x8]

10:27:09.187072 192.168.15.10.ftp-data > 129.174.1.13.2670: . 1449:2897(1448) ack 1 win 5840 (DF) [tos 0x8]

10:27:09.187124 192.168.15.10.ftp-data > 129.174.1.13.2670: . 2897:4345(1448) ack 1 win 5840 (DF) [tos 0x8]

10:27:09.187931 129.174.1.13.2670 > 192.168.15.10.ftp-data: . ack 2897 win 64512 (DF)

10:27:09.187965 192.168.15.10.ftp-data > 129.174.1.13.2670: . 4345:5793(1448) ack 1 win 5840 (DF) [tos 0x8]

10:27:09.187974 192.168.15.10.ftp-data > 129.174.1.13.2670: . 5793:7241(1448) ack 1 win 5840 (DF) [tos 0x8]

10:27:09.187987 192.168.15.10.ftp-data > 129.174.1.13.2670: . 7241:8689(1448) ack 1 win 5840 (DF) [tos 0x8]

10:27:09.188568 129.174.1.13.2670 > 192.168.15.10.ftp-data: . ack 5793 win 6451

10:27:11.555300 129.174.1.13.2668 > 192.168.15.10.ftp: P 82:88(6) ack 298 win 64215 (DF)

10:27:11.555817 192.168.15.10.ftp > 129.174.1.13.2668: P 298:312(14) ack 88 win 5840 (DF)

10:27:11.556957 129.174.1.13.2668 > 192.168.15.10.ftp: F 88:88(0) ack 312 win 64201 (DF)

10:27:11.557242 192.168.15.10.ftp > 129.174.1.13.2668: F 312:312(0) ack 89 win 5840 (DF)

10:27:11.557718 129.174.1.13.2668 > 192.168.15.10.ftp: . ack 313 win 64201 (DF)

82 packets received by filter

0 packets dropped by kernel

[root@dca2-LinuxES ftp]#

Re: Cannot transfer the file to the ftp server which is behind A

Anand Narayana — Sun, 25 Feb 2007 14:40:32 GMT

Hi David,

as u said it should be a bug in windows CUI ftp client, so i tried installing a 3rd party FTP client it works.

Re: Cannot transfer the file to the ftp server which is behind A

daviddtran — Sun, 25 Feb 2007 14:51:43 GMT

yes, third party clients such as WinSCP and

SecureFX works with passive ftp. It is just

Windows ftp client CLI that does not. As you can see, the client is transferring file with

the server with the server high-ports. No

port 20 is taken place anywhere. Therefore,

I think it is a bug in the microsoft ftp

client CLI itself. See below when I initiate

ftp client from a third party ftp client such

as SecureFX:

David

[root@dca2-LinuxES root]# tcpdump -i eth0 -n host 129.174.1.13

tcpdump: listening on eth0

10:48:53.228633 129.174.1.13.35375 > 192.168.15.10.ftp: S 538184680:538184680(0) win 49640 (DF)

10:48:53.228753 192.168.15.10.ftp > 129.174.1.13.35375: S 4261832214:4261832214(0) ack 538184681 win 5840 (DF)

10:48:53.229620 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 1 win 49640 (DF)

10:48:53.234096 192.168.15.10.ftp > 129.174.1.13.35375: P 1:21(20) ack 1 win 5840 (DF)

10:48:53.234565 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 21 win 49640 (DF)

10:48:53.255148 192.168.15.10.34391 > 129.174.1.13.domain: 64769+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)

10:48:53.256379 129.174.1.13.domain > 192.168.15.10.34391: 64769 1/4/2 (202) (DF)

10:48:56.791231 129.174.1.13.35375 > 192.168.15.10.ftp: P 1:17(16) ack 21 win 49640 (DF)

10:48:56.791310 192.168.15.10.ftp > 129.174.1.13.35375: . ack 17 win 5840 (DF)

10:48:56.791885 192.168.15.10.ftp > 129.174.1.13.35375: P 21:55(34) ack 17 win 5840 (DF)

10:48:57.030438 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 128 win 49640 (DF)

10:48:57.389484 129.174.1.13.35375 > 192.168.15.10.ftp: P 38:46(8) ack 128 win 49640 (DF)

10:48:57.389553 192.168.15.10.ftp > 129.174.1.13.35375: P 128:159(31) ack 46 win 5840 (DF)

10:48:57.480433 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 159 win 49640 (DF)

10:48:58.586925 192.168.15.10.34391 > 129.174.1.13.domain: 64770+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)

10:48:58.588275 129.174.1.13.domain > 192.168.15.10.34391: 64770 1/4/2 (202) (DF)

10:49:00.638756 192.168.15.10.34391 > 129.174.1.13.domain: 64771+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)

10:49:00.639900 129.174.1.13.domain > 192.168.15.10.34391: 64771 1/4/2 (202) (DF)

10:49:08.028007 129.174.1.13.35375 > 192.168.15.10.ftp: P 46:52(6) ack 159 win 49640 (DF)

10:49:08.028710 192.168.15.10.ftp > 129.174.1.13.35375: P 159:207(48) ack 52 win 5840 (DF)

10:49:08.029984 129.174.1.13.35376 > 192.168.15.10.1037: S 541876187:541876187(0) win 49640 (DF)

10:49:08.030061 192.168.15.10.1037 > 129.174.1.13.35376: S 4267281440:4267281440(0) ack 541876188 win 5840 (DF)

10:49:08.030793 129.174.1.13.35376 > 192.168.15.10.1037: . ack 1 win 49640 (DF)

10:49:08.030932 129.174.1.13.35375 > 192.168.15.10.ftp: P 52:69(17) ack 207 win 49640 (DF)

10:49:08.031158 192.168.15.10.ftp > 129.174.1.13.35375: P 207:278(71) ack 69 win 5840 (DF)

10:49:08.031255 192.168.15.10.1037 > 129.174.1.13.35376: . 1:1461(1460) ack 1 win 5840 (DF) [tos 0x8]

10:49:08.031314 192.168.15.10.1037 > 129.174.1.13.35376: . 1461:2921(1460) ack 1 win 5840 (DF) [tos 0x8]

10:49:08.038016 129.174.1.13.35376 > 192.168.15.10.1037: F 1:1(0) ack 43522 win 49640 (DF)

10:49:08.038070 192.168.15.10.1037 > 129.174.1.13.35376: . ack 2 win 5840 (DF)

10:49:10.012613 129.174.1.13.35375 > 192.168.15.10.ftp: P 69:75(6) ack 297 win 49569 (DF)

10:49:10.012836 192.168.15.10.ftp > 129.174.1.13.35375: P 297:311(14) ack 75 win 5840 (DF)

10:49:10.013471 129.174.1.13.35375 > 192.168.15.10.ftp: F 75:75(0) ack 311 win 49569 (DF)

10:49:10.014115 192.168.15.10.ftp > 129.174.1.13.35375: F 311:311(0) ack 76 win 5840 (DF)

10:49:10.014590 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 312 win 49569 (DF)

10:49:10.578376 192.168.15.10.34391 > 129.174.1.13.domain: 64772+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)

101 packets received by filter

0 packets dropped by kernel

[root@dca2-LinuxES root]#