topic Re: ASA5505 - Active FTP will not pass through in Network Security

ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 12 Mar 2019 02:52:13 GMT

Hi,

Please be gentle with me as I'm still learning Cisco

I'm trying to configure our Cisco ASA 5505 to allow Active mode FTP connections through. We have a user that uses some bespoke software that connects to a client via FTP in active mode.

When using the packet tracer. The packets fail by the DENY implicit incoming Rule (please see below). This rule looks as though it cannot be editted although as seen in my screen shot there are 2 rules very similiar?

inspect FTP is enabled and always has been enabled.

ASA5505 - Active FTP will not pass through

Jouni Forss — Tue, 15 Oct 2013 11:59:20 GMT

Hi,

Seems according to the above picture that your might be entering wrong information to the "packet-tracer". The Output/Input interface both should NOT be "inside"

If we were to believe the output then it would mean that both the user and the destination server was behind the same interface on the ASA?

Is there a chance to see your firewall configuration in CLI format wihtout any public IP addresses or other sensitive information? This would be the best way for me personally atleast to check any problems with the configurations.

- Jouni

ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 12:22:13 GMT

Thanks for the reply. Could you confirm the best command to run to confirm this? Show running-config would display all my infomation so is there something that would be better suited?

Thanks

ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 12:31:00 GMT

Hi,

Sorry just to confirm with the packet tracer. I am trying to connect to a FTP server that is external to my network. The mode that the external FTP server connects through is 'Active' and that seems to be where we are having issues.

Just retried the packet tracer with same results?

ASA5505 - Active FTP will not pass through

Jouni Forss — Tue, 15 Oct 2013 12:47:30 GMT

Hi,

If you are testing outbound FTP connection from your LAN then you should use the following information

Interface: inside
Source IP address: 192.168.1.3
Destination IP address:

This is because the connection initiation for the FTP Control connection (TCP/21) will naturally come from the LAN which is behind the "inside" interface. And the source IP address is naturally the local IP address and the destination IP address the public IP address.

Ports you can leave as they are.

- Jouni

ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 13:19:29 GMT

Ok, results below say that is sucesfully connected. However, the issue still persists

whats the best command to show my firewall config?

Thanks for your help

Re: ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 13:57:28 GMT

Just testing a through filezilla i am getting this error message:

Status: Connection established, waiting for welcome message...

Response: 550 No connections allowed from your IP

Error: Critical error

Error: Could not connect to server

Where as through windows explorer it acts as though my credentials are incorrect (although i know they arent as i have tested in a different enviroment)

Re: ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 14:10:00 GMT

Config attached and removed any public IP's.

ASA Version 8.2(5)
!
hostname ASA5505
domain-name cloud.local
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 192.168.0.73 Metalfab-IT
name 192.168.0.5 W01DC01
name 192.168.0.9 vWorkspace-Broker
name 192.168.0.12 W07DC02
name 192.168.1.18 CMVDI
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 85.13.xxx.xxx 255.255.255.240
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.1
name-server 8.8.8.8
name-server 4.4.2.2
name-server 4.2.2.2
name-server 4.2.2.3
domain-name cloud.local
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 8080
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3389
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3390
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3391
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3399
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0
access-list Split_Tunnel standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPsecVPN 192.168.0.40-192.168.0.45 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https vWorkspace-Broker https netmask 255.255.255.255
static (inside,outside) tcp interface www vWorkspace-Broker www netmask 255.255.255.255
static (inside,outside) tcp interface 444 vWorkspace-Broker 444 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 vWorkspace-Broker 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Metalfab-IT 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 W01DC01 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 W07DC02 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3399 CMVDI 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 85.13.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
default-domain value cloud.local
group-policy admin internal
group-policy admin attributes
dns-server value 192.168.0.5 192.168.0.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value cloud.local
vlan none
vpn-group-policy admin
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool IPsecVPN
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *****
!
class-map in
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:192e2f08647ded2722c23e69cd68ab23
: end

Re: ASA5505 - Active FTP will not pass through

Jouni Forss — Tue, 15 Oct 2013 14:56:00 GMT

Hi,

To be honest if the "packet-tracer" that the intial control connection for the FTP goes through and gets translated and you have FTP Inspection enabled then that should be it for the ASA.

I would consider that the actual problem is on the remote end.

To me the above connection messages seem to indicate that the FTP connection (TCP/21) is formed but the server ends up rejecting it because of some local setting/rule.

So it would seem to me to be more of a problem on the server side.

Maybe the connections formed to this FTP server are limited according to the source IP address? Perhaps the remote end that manages the server have not done something they should.

Naturally as a "final" step you can always capture all traffic from a single connection attempt and those should show you exactly what is exchanged between the client and the server.

- Jouni

Re: ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 15:03:42 GMT

Thanks very much.

I did suspect this to start with however I wanted to explorer every other avenue before contacting the remote end. I will check with wireshark to get a definitive answer.

Re: ASA5505 - Active FTP will not pass through

Jouni Forss — Tue, 15 Oct 2013 15:09:35 GMT

Hi,

You can also take a capture on the ASA. I guess that is easy to do on the ASDM side.

Naturally when your on the actual host its probably easier just to take the capture there

I guess the capture on the ASA might be usefull in situation where you dont have access to an actual host on the site and are not at the site and want to remotely take the capture from the ASA.

Let me know if you want an example configuration/commands to capture on the ASA.

I tend to use it a lot and I can easily copy the files to my local computer and open them with wireshark.

- Jouni

Re: ASA5505 - Active FTP will not pass through

Kenzie6964 — Tue, 15 Oct 2013 15:12:57 GMT

That would be great if you could send me a example. Thanks

Re: ASA5505 - Active FTP will not pass through

Jouni Forss — Tue, 15 Oct 2013 15:26:25 GMT

Hi,

Well in this case since we have a single destination host and can define a specific internal host for the connection also we could just configure the ASA to capture all TCP traffic between the hosts.

First we configure an ACL that tells the ASA what traffic should be captured

access-list FTP-CAP permit tcp host host

We define the ACL so that it defines both direction of the traffic. Option would be to copy 2 captures. One for each direction. This might be usefull if there is going to be a large amount of traffic as the ASA per capture buffer is capped near 35MB.

Then we use the actual "capture" command

capture FTP-CAP access-list FTP-CAP interface inside buffer 3350000 circular-buffer

In the above comamnd we define the following

Capture name is FTP-CAP
Access-list that defines the captured traffic is named FTP-CAP (ACL and Capture name dont have to match, I just find it simple to do it that way)
Interface where we take the capture is "inside"
The buffer memory size for this capture is around 33,5MB (almost the maximum for a single capture) You can set this to a lot lower though since we probably wont see that many KB of traffic.
We define Circular Buffer which essentially means that when the ASA reaches the maximum buffer size then it start overwriting the old information. This is good for situation when you have to leave the capture on for a long time (and the traffic matching the capture is light) and are more concerned about the latest information captured (waiting for some problems situation happen again for example when troubleshooting)

The capture configuration above wont show up in the configurations.

One important thing to consider when configuring the ACL is that depending on which interface you take the capture you might have to change the IP address. In this case since we use the local interface the ASA will see the original host IP address. If you were to take the capture from the external interface of the ASA you would have to change the local IP address to the hosts public NAT IP address. And if that NAT IP address is a shared PAT IP it would potentially capture a lot of traffic from others hosts (this is why I used the internal interface/ip in this example)

You can view all the captures and if they have captured any data with command

show capture

You can view the contents of a particular capture by adding the capture name to the command

show capture FTP-CAP

I dont use this much except for simple captures.

To copy the capture a host with TFTP use the following command

copy /pcap capture:FTP-CAP tftp://x.x.x.x/FTP-CAP.pcap

To remove the capture and its data use

no capture FTP-CAP

You will have to remove the ACL separately

Hope this helps

Please let us know when you hear back from the remote end.

- Jouni

Re: ASA5505 - Active FTP will not pass through

johnlloyd_13 — Tue, 15 Oct 2013 15:52:47 GMT

Hi Jouni,

Awesome command/trick you've got!

Do you happen to create a CSC doc for this? 🙂

Sent from Cisco Technical Support iPhone App

ASA5505 - Active FTP will not pass through

Jouni Forss — Tue, 15 Oct 2013 16:07:46 GMT

Hi,

There is one older document made here on CSC regarding captures

https://supportforums.cisco.com/docs/DOC-1222

Though naturally that doesnt stop from making my own.

I would still have a lot to add my NAT document on the CSC but just can't seem to find the correct time/moment to go into that. Maybe its because I work all day and then go home and start replying to posts on the CSC I must be mad

- Jouni

Re: ASA5505 - Active FTP will not pass through

johnlloyd_13 — Tue, 15 Oct 2013 16:17:35 GMT

Yeah saw that one earlier and I understand what you mean. Look at me still checking CSC on my iphone 🙂

It would be cool though if you can create one coz your line of thought is much better.

Sent from Cisco Technical Support iPhone App

ASA5505 - Active FTP will not pass through

Kenzie6964 — Wed, 16 Oct 2013 17:03:44 GMT

Hello,

it seems that there was a connection issue between our client and the Remote FTP server. This has been resolved now however active mode still will not connect through.

If I was to strip out some logs and PM to you would you be able to cast your eye over them? I'm not entirely sure what I am looking for? I'm still convinced that there is a issue at the remote server side; however I need to be 100% sure before i can hand it back to them

Thanks for your help with this.

ASA5505 - Active FTP will not pass through

Jouni Forss — Wed, 16 Oct 2013 17:24:04 GMT

Hi,

Sure, you can send the logs. Though generally I troubleshoot FTP related issues with traffic captures. And even in those situations there is usually different people that work with the actual clients and servers when I provide the information on what I see in the logs and captures

- Jouni

ASA5505 - Active FTP will not pass through

Kenzie6964 — Wed, 16 Oct 2013 17:26:45 GMT

Hi,

I've just found a configuration fault within the software being used. I'm just waiting on someone to test the changes I have made. Should hopefully the resolve the issue.
I will keep you updated. I'll be furious if this resolves things after everything we've gone through!

ASA5505 - Active FTP will not pass through

Jouni Forss — Wed, 16 Oct 2013 17:35:02 GMT

Ok,

Hopefully it corrects the problem

- Jouni