https://community.cisco.com/t5/network-security/our-asa-is-blocking-filezilla/m-p/4633871#M1091026 <P>There is a server on our environment that's running FileZilla and the way we have the rule set up using <STRONG>FMC</STRONG> is&nbsp;</P><P><STRONG>Set up: </STRONG></P><P>Objects:&nbsp;</P><P>- Public IP, Private IP.</P><P>- Ports that were asked to be opened.&nbsp;</P><P>NAT Rule: For the public IP to the Private IP&nbsp;</P><P>Initial Access Control Policy:&nbsp;</P><P>-Zone: SC: Internet, Destination: Lan</P><P>Network:&nbsp;</P><P>- SC: Any, Destination: Private IP&nbsp;</P><P>VLAN Tags, Users, Applications: Set to any.&nbsp;</P><P>Ports: SC: Any, Dest: the objects selected from when I created the ports.&nbsp;</P><P>URLS and SGT/ISE: any.&nbsp;</P><P>&nbsp;</P><P><STRONG>Issue</STRONG></P><P>When someone tries to connect to the server they can get to the port, but TLS connection cant be authenticated so it closes the connection. Not sure what's going on.&nbsp;</P><P>&nbsp;</P><P><STRONG>Attempts to resolve.&nbsp;</STRONG></P><P>I tried to allow any port to go through, anyone in the internet can go through.</P><P>Device Firewall has inbound and outbound ports allowed access.&nbsp;</P><P>in the Initial access control policy, I changed it from</P><P>SC: Any, Destination: Private IP&nbsp; to&nbsp; SC: Any, Destination: public IP.&nbsp;</P><P>&nbsp;</P><P><STRONG>Temp solution:&nbsp;</STRONG></P><P>What seems to work at the moment is when I set up the rule action from&nbsp; Allowed to Trust it let the connection through and TLS authentication was a success, files can be transferred etc. Now if I understand correctly Trust doesn't monitor and basically allowed anything just to go through. Not sure if I want that.&nbsp;</P><P>&nbsp;</P><P>Does anyone know why it's having this issue? The ASA isn't super configured so it can be assumed that it's a brand new ASA with very little configuration.&nbsp;</P> Fri, 17 Jun 2022 16:07:32 GMT JBrav0 2022-06-17T16:07:32Z https://community.cisco.com/t5/network-security/our-asa-is-blocking-filezilla/m-p/4633871#M1091026 <P>There is a server on our environment that's running FileZilla and the way we have the rule set up using <STRONG>FMC</STRONG> is&nbsp;</P><P><STRONG>Set up: </STRONG></P><P>Objects:&nbsp;</P><P>- Public IP, Private IP.</P><P>- Ports that were asked to be opened.&nbsp;</P><P>NAT Rule: For the public IP to the Private IP&nbsp;</P><P>Initial Access Control Policy:&nbsp;</P><P>-Zone: SC: Internet, Destination: Lan</P><P>Network:&nbsp;</P><P>- SC: Any, Destination: Private IP&nbsp;</P><P>VLAN Tags, Users, Applications: Set to any.&nbsp;</P><P>Ports: SC: Any, Dest: the objects selected from when I created the ports.&nbsp;</P><P>URLS and SGT/ISE: any.&nbsp;</P><P>&nbsp;</P><P><STRONG>Issue</STRONG></P><P>When someone tries to connect to the server they can get to the port, but TLS connection cant be authenticated so it closes the connection. Not sure what's going on.&nbsp;</P><P>&nbsp;</P><P><STRONG>Attempts to resolve.&nbsp;</STRONG></P><P>I tried to allow any port to go through, anyone in the internet can go through.</P><P>Device Firewall has inbound and outbound ports allowed access.&nbsp;</P><P>in the Initial access control policy, I changed it from</P><P>SC: Any, Destination: Private IP&nbsp; to&nbsp; SC: Any, Destination: public IP.&nbsp;</P><P>&nbsp;</P><P><STRONG>Temp solution:&nbsp;</STRONG></P><P>What seems to work at the moment is when I set up the rule action from&nbsp; Allowed to Trust it let the connection through and TLS authentication was a success, files can be transferred etc. Now if I understand correctly Trust doesn't monitor and basically allowed anything just to go through. Not sure if I want that.&nbsp;</P><P>&nbsp;</P><P>Does anyone know why it's having this issue? The ASA isn't super configured so it can be assumed that it's a brand new ASA with very little configuration.&nbsp;</P> Fri, 17 Jun 2022 16:07:32 GMT https://community.cisco.com/t5/network-security/our-asa-is-blocking-filezilla/m-p/4633871#M1091026 JBrav0 2022-06-17T16:07:32Z https://community.cisco.com/t5/network-security/our-asa-is-blocking-filezilla/m-p/4634540#M1091046 <P>What are you using to transfer files? (FTP,SCP, sFTP, etc.)</P> <P>So, Trust means just that you will bypass the SNORT process so the rule only acts as a regular ASA access-list rule. However, if you do have something in the rule that requires SNORT to process it and make a verdict on it, then the packet will be sent to SNORT even though you have it configured as trust.&nbsp; an example of this would be if you are using Application instead of, or as well as Port, then the packet will be sent to SNORT for processing Application.&nbsp; If you also have IPS configured for that rule then IPS will also be processed.&nbsp; The only way to truely circumvent SNORT is to either not configure anything that would require SNORT to process the packet or to configure the rule in pre-filter.</P> Sun, 19 Jun 2022 21:37:24 GMT https://community.cisco.com/t5/network-security/our-asa-is-blocking-filezilla/m-p/4634540#M1091046 Marius Gunnerud 2022-06-19T21:37:24Z