topic Hi, in Network Security

Active FTP not working after switch from ASA 5510 to Asa 5515-X

mn — Tue, 12 Mar 2019 08:23:33 GMT

We replaced an old asa 5510 with an Asa 5515-X.

I have configured access-lists and NAT Rules (port 20 and 21)

Passive FTP working with and without TLS.

Active FTP logs in but timeout at directory listing.

i can see the user loggin in at my FTP server.

There is no Drops on the asa, used Packet-tracer/capturing along with wireshark.

The servers Syn simply does not reach my client ?

Any Ideas. it works perfect with my 5510

also got this from a ftp tester, confirming my thoughts about TLS being breaked. (see Attachment)

Issue seems to be with the

Pulkit Saxena — Thu, 13 Oct 2016 10:38:25 GMT

Issue seems to be with the data channel, your server is on trusted network or you are accessing a server on internet.

We need to allow in access list traffic accordingly, to the real IP of nat and inspect ftp command is also required.

Pulkit

Hi Pulkit.

mn — Thu, 13 Oct 2016 10:41:43 GMT

Hi Pulkit.

The FTP server is in my datacenter (off location from office) and my client is on lan.

Ftp Srever is based on inside network of ASA and nattet to Public IP.

What inspect FTp Command are you refering to ?

Public Ip of FTP is 81.27.214.127 and public ip of client is 81.27.211.178

Hi,

Pulkit Saxena — Thu, 13 Oct 2016 10:48:33 GMT

Hi,

From the ASA perspective, if i understand correctly, your FTP server is on inside and and client is on outside. Is that correct ?

Please share the output of "show run policy-map" ?

Pulkit

Exactly, It is all clients

mn — Thu, 13 Oct 2016 10:50:36 GMT

Exactly, It is all clients from all over that hangs on showing directory list.

sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect icmp
inspect icmp error

Please answer the below :

Pulkit Saxena — Thu, 13 Oct 2016 10:55:03 GMT

Please answer the below :

a) You have static NAT or static PAT ?

b) In access list on outside interface, you have allowed traffic for the complete IP or only port ?

c) Do you have any access list on inside interface also, since data channel will be initiated by the server.

d) Please configure "ftp inspection" by the following :

policy-map global_policy
class inspection_default

inspect ftp

exit

Test and let me know.

Pulkit

I Use static NAT:

mn — Thu, 13 Oct 2016 11:01:08 GMT

I Use static NAT:

3 (outside) to (inside) source static any any destination static Pub-DK-Sync-1 Priv-DK-Sync-1 service FTP FTP no-proxy-arp

4 (outside) to (inside) source static any any destination static Pub-DK-Sync-1 Priv-DK-Sync-1 service FTP20 FTP20 no-proxy-arp

Acces_list

access-list outside_access_in line 3 extended permit tcp any host 81.27.214.178 eq ftp log informational interval 300 (hitcnt=0) 0x8665beac

access-list outside_access_in line 3 extended permit tcp any host 81.27.214.178 eq ftp-data log informational interval 300 (hitcnt=0) 0xcf5d8e2e

No ACL on inside-

I’ve tested the FTP Inspection but no luck

Hi,

Pulkit Saxena — Thu, 13 Oct 2016 11:07:22 GMT

Hi,

Issue is with the NAT, when data channel is initiated, it will not work.

Apply the following NAT :

nat (outside,inside) 1 source static any any destination static Pub-DK-Sync-1 Priv-DK-Sync-1

On the new codes, you need to allow the real IP in the access list, so the access list will be :

access-list outside_access_in line 1 permit ip any <real ip of server> eq 21

Do keep the inspect ftp.

I am pretty sure this should help resolve the issue.

Pulkit