topic FTPS on cisco asa in Network Security

FTPS on cisco asa

Benjamin Saito — Tue, 12 Mar 2019 04:23:25 GMT

I have an ASA 5505 code version 9.0(3) and FTPS seems to be working with some but not others. The ones who can transfer files have full ip completely, but the ones who can't are able to authenticate but cannot transfer files. This led me to believe that this was an ACL issue, but then I looked at the logs and I am getting this error for the user that cannot connect:

tcp flow from outside:x.x.x.x/56721 to inside:x.x.x.x/21 terminated by inspection engine, reason - inspector drop reset.

Does anyone know why they would be getting this error?

Thanks in advance!

The inspection engine is

Marvin Rhoads — Thu, 26 Jun 2014 21:33:21 GMT

The inspection engine is looking at the ftp protocol and finding something objectionable in that user's sessions. Exactly what is hard to say without debugging or capturing a live failing session.

You can disable ftp inspection as follows (in global configuration mode of course):

policy-map global_policy class inspection_default no inspect ftp

That won't tell you what was making it break but it should fix the immediate issue for that user.

This is a really bad advice

cciesec2011 — Sat, 28 Jun 2014 21:35:45 GMT

This is a really bad advice and I will tell you why.

By disabling inspect ftp, you will break a lot of FTP connections.

It's not universal but I've

Marvin Rhoads — Sat, 28 Jun 2014 23:43:10 GMT

It's not universal but I've seen it fix non-working ftp (and non-working smtp and non-working sccp for their respective protocols).

What alternative do you advise the OP pursue to address his issue?

I will tell you why:Let say

cciesec2011 — Sun, 29 Jun 2014 02:32:34 GMT

I will tell you why:

Let say when you allow ftp from external to internal, normally your ACL will look like this:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 1.1.1.1 eq 21 log

access-list outside deny ip any any log

Now when host 2.2.2.2 want to connect to 1.1.1.1 on ftp, the firewall knows that connect is ftp so it will allow inspect ftp to handle the data connection properly.

Now let say if you disable inspect ftp, when the client 2.2.2.2 connect to host 1.1.1.1 via ftp and let say he issues an "passive" to enter passive mode. Without inspect ftp, you would have to to allow:

access-list outside permit tcp any host 1.1.1.1 gt 1024

because passive allows the client to connect to the server on tcp high-ports, nature of FTP. By disabling inspect ftp, this is no longer possible thus breaking ftp connection, unless you implement the ACL above, which I don't think your security department will approve.

The alternative is to use SecureFTP or sFTP which will a perfectly secure protocol. This is 2014, not 1999. FTP and FTPs should be banned.