https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4974726#M1106708 <P>are this issue solved ?<BR />MHM</P> Sat, 09 Dec 2023 01:26:05 GMT MHM Cisco World 2023-12-09T01:26:05Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4971522#M1106540 <P>Hello</P><P>I am stuck when trying to use FTP protocol between my Computer and my ASA 5505 using Putty.<BR />I am trying to download the "asa923-k8.bin" file from my ASA (192.168.2.254) to my PC (at this place: C:\Users\Admin\).</P><P>On ASA, into the INSIDE section, I've created a rule to permit FTP and FTP-DATA traffic.<BR />When passing the command into CLI I get a "Permission denied" error message.</P><P>See the error:</P><P>ciscoasa# copy <A href="ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin" target="_blank" rel="noopener">ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin</A> disk0:/asa923-$<BR />Address or name of remote host [192.168.2.254]? 192.168.2.254<BR />Source username? xxxx (correct username)<BR />Source password? xxxx (correct password)<BR />Source filename [asa923-k8.bin]? asa923-k8.bin<BR />Destination filename [asa923-k8.bin]? C:\Users\Admin\asa923-k8.bin<BR />Accessing <A href="ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin" target="_blank" rel="noopener">ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin</A>...<BR />%Error opening <A href="ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin" target="_blank" rel="noopener">ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin</A> (Permission denied)</P><P><BR />Below my confguration:</P><P>interface Ethernet0/0<BR />switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR />interface Ethernet0/2<BR />!<BR />interface Ethernet0/3<BR />switchport access vlan 3<BR />shutdown<BR />!<BR />interface Ethernet0/4<BR />shutdown<BR />!<BR />interface Ethernet0/5<BR />shutdown<BR />!<BR />interface Ethernet0/6<BR />switchport access vlan 3<BR />shutdown<BR />!<BR />interface Ethernet0/7<BR />switchport access vlan 3<BR />shutdown<BR />!<BR />interface Vlan1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.2.254 255.255.255.0<BR />!<BR />interface Vlan2<BR />nameif outside<BR />security-level 0<BR />ip address 192.168.1.50 255.255.255.0<BR />!<BR />interface Vlan3<BR />no forward interface Vlan1<BR />nameif DMZ<BR />security-level 0<BR />ip address 192.168.3.254 255.255.255.0<BR />!<BR />ftp mode passive<BR />dns domain-lookup outside<BR />object network obj_any<BR />subnet 0.0.0.0 0.0.0.0<BR />object network INTERNET<BR />subnet 192.168.1.0 255.255.255.0<BR />description Connexion Orange Box<BR />object network LAN-PRIVE<BR />subnet 192.168.2.0 255.255.255.0<BR />description Lan prive<BR />access-list RESEAU_PRIVE_access_in extended permit icmp any any<BR />access-list RESEAU_PRIVE_access_in extended permit ip any any<BR />access-list RESEAU_EXTERNE_access_in extended permit icmp any any<BR />access-list RESEAU_EXTERNE_access_in extended permit ip any any<BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu inside 1500<BR />mtu outside 1500<BR />mtu DMZ 1500<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />!<BR />object network obj_any<BR />nat (inside,outside) dynamic interface<BR />access-group RESEAU_PRIVE_access_in in interface inside<BR />access-group RESEAU_EXTERNE_access_in in interface outside<BR />route outside 0.0.0.0 0.0.0.0 192.168.1.10 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />user-identity default-domain LOCAL<BR />aaa authentication http console LOCAL<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 outside<BR />http 192.168.2.0 255.255.255.0 inside<BR />http 192.168.3.0 255.255.255.0 DMZ<BR />no snmp-server location<BR />no snmp-server contact<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto ca trustpoint _SmartCallHome_ServerCA<BR />no validation-usage<BR />crl configure<BR />crypto ca trustpool policy<BR />telnet timeout 5<BR />no ssh stricthostkeycheck<BR />ssh timeout 5<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0</P><P>threat-detection basic-threat<BR />threat-detection scanning-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />ssl server-version any<BR />username cisco password xxxxxxxxxxxxx encrypted privilege 15<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />!</P><P>ACL</P><P>ciscoasa# show access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />alert-interval 300<BR />access-list RESEAU_PRIVE_access_in; 4 elements; name hash: 0x67900528<BR />access-list RESEAU_PRIVE_access_in line 1 extended permit icmp any any (hitcnt=922) 0x3c3b4189<BR />access-list RESEAU_PRIVE_access_in line 2 extended permit ip any any (hitcnt=11984) 0x44b06c92<BR />access-list RESEAU_PRIVE_access_in line 3 extended permit tcp object LAN-PRIVE any object-group DM_INLINE_TCP_1 (hitcnt=0) 0xefe3b9e9<BR />access-list RESEAU_PRIVE_access_in line 3 extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp (hitcnt=0) 0x9454988a<BR />access-list RESEAU_PRIVE_access_in line 3 extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data (hitcnt=0) 0x37076d66<BR />access-list RESEAU_EXTERNE_access_in; 2 elements; name hash: 0xe040391b<BR />access-list RESEAU_EXTERNE_access_in line 1 extended permit icmp any any (hitcnt=0) 0x13c5ed7a<BR />access-list RESEAU_EXTERNE_access_in line 2 extended permit ip any any (hitcnt=162) 0x71d1f8d3<BR />ciscoasa#</P><P>Many thanks for your help<BR />Damien</P> Tue, 05 Dec 2023 09:45:31 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4971522#M1106540 Damien2 2023-12-05T09:45:31Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4974726#M1106708 <P>are this issue solved ?<BR />MHM</P> Sat, 09 Dec 2023 01:26:05 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4974726#M1106708 MHM Cisco World 2023-12-09T01:26:05Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4974748#M1106710 <P>No the issue is not fixed at all, I couldn't find the root cause. Can you help ?</P> Sat, 09 Dec 2023 06:28:53 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4974748#M1106710 Damien2 2023-12-09T06:28:53Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4975027#M1106712 <P>Why you use inside IP as server IP in your command?</P> <P>As I know the command is&nbsp;</P> <P>Username:password@serverIP</P> <P>Also make sure the path in server for asa image file.</P> <P>MHM</P> Sun, 10 Dec 2023 10:09:15 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4975027#M1106712 MHM Cisco World 2023-12-10T10:09:15Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4975447#M1106742 <P data-unlink="true">your copy FTP command should be reversed,&nbsp;<SPAN>copy disk0:/asa923-k8.bin&nbsp;</SPAN><A href="ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin" target="_blank">ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin</A>&nbsp;if you are trying to copy from the ASA to your local PC.&nbsp; Also, you do need an FTP server running on your PC and allow this connection in your local firewall on the PC if there is one enabled.</P> Mon, 11 Dec 2023 12:40:24 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4975447#M1106742 Marius Gunnerud 2023-12-11T12:40:24Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4978219#M1106938 <P>Hello</P><P>Many thanks for your posts.</P><P>MHM: I am using inside IP because is the ASA's ASDM IP address.</P><P>Marius:</P><P>1. I confirm a FileZilla FTP server is installed on my PC<BR />2. I can ping from my PC to the ASA Firewall =&gt; so I guess I do not need to create a rule into the Windows.<BR />3. I've tried the below command and it didn't worked out<BR />copy disk0:/asa923-k8.bin <A href="ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin" target="_blank" rel="noopener">ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin</A></P><P>Still get: %Error opening <A href="ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin" target="_blank">ftp://cisco:cisco123@192.168.2.254/asa923-k8.bin</A> (Permission denied)</P><P><BR />I've finally fixed my issue using the "ASDM File Transfer" option.</P><P>See the tutorial: <A href="https://ccnpsecuritywannabe.blogspot.com/2020/05/file-transfer-between-local-pc-and.html" target="_blank" rel="noopener">https://ccnpsecuritywannabe.blogspot.com/2020/05/file-transfer-between-local-pc-and.html</A></P><P>I will appreciate your observation regarding my use of the inside IP address.</P><P><BR />Many thanks for your help anyway.</P><P>Damien</P> Thu, 14 Dec 2023 18:38:20 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4978219#M1106938 Damien2 2023-12-14T18:38:20Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4978220#M1106939 <P>See my reply below</P> Thu, 14 Dec 2023 18:35:42 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4978220#M1106939 Damien2 2023-12-14T18:35:42Z https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4978222#M1106940 <P>See below</P> Thu, 14 Dec 2023 18:36:36 GMT https://community.cisco.com/t5/network-security/ftp-connexion-issue/m-p/4978222#M1106940 Damien2 2023-12-14T18:36:36Z