topic Cisco ASA 5512-x FTP : 425 no data connection in Network Security

Cisco ASA 5512-x FTP : 425 no data connection

madismannik — Tue, 12 Mar 2019 03:52:49 GMT

Hello,

I am looking for help regarding to FTP connection to external FTP server. Client computer is located behind Cisco Firewall and FTP resides in ISP server. So the problem is connecting from our internal network to external networks FTP server.I can open FTP connection to server but whenever I try to transfer data, I get 425 error. Probably another stupid mistake, but I cannot identify the problem correctly. I am using Service-policy which is inspecting FTP protocol. My guess is that this is related to NAT. I have debugged and looked at TCP translation and this one is made from my(client) computer to external FTP server.

Attached configuration file.

X.X.X.X reffers to our public IP.

TCP translations regarding FTP connection :

%ASA-6-302303: Built TCP state-bypass connection 50120 from Outside:194.126.124.166/21 (194.126.124.166/21) to Inside:192.168.0.94/14327 (X.X.X.X /14327)

Re:Cisco ASA 5512-x FTP : 425 no data connection

Maykol Rojas — Mon, 03 Mar 2014 15:58:28 GMT

Hi!

Well your problem is right there. Since there is a TCP state bypass connection being build for this, that means that the inspection is not going to work (if active ftp is being used)

Is there an specific reason why u have this turned on? Have u try a PSV ftp connection?

Mike

Sent from Cisco Technical Support Android App

Cisco ASA 5512-x FTP : 425 no data connection

INGENIERIA Y CONSULTORIAS WEBREDES LTDA — Mon, 03 Mar 2014 17:40:31 GMT

try this command.

no fixup protocol ftp 21

this is an ancient pix command that still works on my ASA 5520, this command uninspect the ftp traffic and would enable the DATA passing thru the ASA, remember that FTP is the only protocol that does not use OSI model to transfer (due the lack of knowledge of the Programing skills on the coder of FTP Protocol).

then you had 2 TCP ports (TCP-20 - for data, TCP-21 for control) and you might be using 2 of the formats of comunicating with the server (ACTIVE or PASSIVE).

if you'll using Passive (PASV command), then requires to create an dynamic port to receive the traffic comming from outside, and if you had enabled the inspect for protocol, you could find some troubles to get this done.

so try this and tell us how is going on.

best regards, had a great day, and please rate if you'll find this post useful

Cisco ASA 5512-x FTP : 425 no data connection

Maykol Rojas — Mon, 03 Mar 2014 19:06:52 GMT

You do not EVER remove the FTP inspection if you are going through NAT and an ASA firewall.

Depending on the scenario (In this case the client inside the firewall) Active FTP will never EVER work. You will need to have a static translation for every client and allowing traffic statically to those clients on the inside network.

You ask to disable the FTP inspection? If you take a look at the log, a TCP state bypass session is created. It means that all inspections are being bypassed at this point inclunding the FTP one.

Check why the Bypass is configured and exclude the FTP traffic so the FTP inspection engine can work, I assure you that is the problem.

Mike

Cisco ASA 5512-x FTP : 425 no data connection

chetansharma2 — Tue, 04 Mar 2014 04:18:23 GMT

Hi,

i think if u are using Active FTP: then you need to open the port 20 access from Outside to inside network....

FTP inspection is required in case of Passive FTP , for opening of dynamically ports automatically

Re: Cisco ASA 5512-x FTP : 425 no data connection

madismannik — Tue, 04 Mar 2014 10:47:21 GMT

Unfortunately we have to use tcp bypass because of our different outlets which are connected using VPN by our ISP.

Anyways, I tried making NAT rules

nat (Outside,Inside) source static la02.neti.ee interface destination static MyCompany MyCompany service FTPActive2 FTPActive2

nat (Outside,Inside) source static la02.neti.ee interface destination static MyCompany MyCompany service FTPActive FTPActive

FTPActive - Sport 20 - Dport any

FTPActive - Sport 21 - Dport any

First I used Windows explorer to connect FTP serve. I can connect and transfer files but problem is related to Windows command line utility which cannot establish data connection. I can connect, login to FTP but unable to transfer file, list directory etc..

No fixup protocol did not give any effect at all.

Thank you for help so far.

Re: Cisco ASA 5512-x FTP : 425 no data connection

Maykol Rojas — Tue, 04 Mar 2014 17:52:58 GMT

Hi;

Well you need to take out the FTP traffic from your bypass list. Do the following

access-list Internal line 1 deny tcp host 192.168.0.94 host 194.126.124.166

Make sure that the inspection is there and try the connection again from 192.168.0.94.

If it works you may need to do this for the rest of the subnets when going only to that destination.

To be honest given the fact that you have everything with TCP state bypass, I would have use a Router rather than the ASA, because you are killing its best features by putting the bypass.

Mike

Hi, This did not make any

madismannik — Fri, 14 Mar 2014 10:42:59 GMT

Hi,

This did not make any difference as far as I can see. Any more things to try?

Thanks!