topic FTP issue through Firewall(2) in Network Security

FTP issue through Firewall(2)

Kevin Melton — Mon, 11 Mar 2019 21:09:59 GMT

***This is the 2nd instance of this post. I had to post it again, as I had inadvertently hit "ANSWERED" on the original post. The question is still "NOT ANSWERED".

Here is the original post...

I have a very interesting problem at a client site this morning. Here is a summary of the problem in a nutshell.

This specific client has set up FTP to an FTP server in a DMZ at their Headquarters building. They have two Production servers that send FTP data to the box in the DMZ. The 1st of the two servers sending FTP data is located on the inside network (they use an ASA with a inside, outside, DMZ, WAN) and sends the FTP data into the box on the DMZ.

The 2nd of the two production servers is located across the WAN interface of the ASA.

The issue is as follows: Server 1 can perform all of its ftp commands correctly once it has connected to the FTP server in the DMZ. Server 2 can log into the FTP server and authenticate successfully, but when a "ls" command or and "dir" command is issued, there is no response (the contents of the root folder are not listed as they are when the same command is issued on the 1st server).

I have been running sniffer on the FTP server in the DMZ, but cannot tell from the traces what is wrong. I have a hard time beleiving that this may be an ACL issue, as if FTP was not allowed coming in from the WAN interface, then they would not have the ability to authenticate.

I am wondering if anyone has seen behavior like this before...

Thanks for any help or insight.

Kevin

Re: FTP issue through Firewall(2)

lcaruso — Wed, 10 Aug 2011 18:43:58 GMT

Is FTP inpsection enabled? If so, you might try turning that off.

Is ftp mode passive enabled? If so, you might try changing that to ftp mode active.

Just a couple of quick and easy ideas to try. Hope it helps.

Re: FTP issue through Firewall(2)

lcaruso — Wed, 10 Aug 2011 18:46:25 GMT

conversely, if you don't have FTP Inspection enabled, turn it on and see what happens.

FTP issue through Firewall(2)

Kevin Melton — Wed, 10 Aug 2011 20:05:56 GMT

Well I was able to take the inspect FTP out of the policy map global. Unfortunantly this had no bearing on resolving the issue. We are still able to log into the ftp server from the Production Server on the other side of the WAN interface, but cannot do an ls or a dir command.

Thanks for the response anyhow.

FTP issue through Firewall(2)

ajay chauhan — Thu, 11 Aug 2011 13:05:15 GMT

Seems to be a active/passive FTP mode issue change the mode and try.

thanks

ajay

FTP issue through Firewall(2)

Kevin Melton — Thu, 11 Aug 2011 18:42:08 GMT

Actually it did seem to be the differnece betweent the two. I found an article and ended up opening ephemeral ports and that allowed the connection to occur.

thx

FTP issue through Firewall(2)

NAGISWAREN2 — Fri, 12 Aug 2011 02:35:05 GMT

Try to allow all port between WAN to DMZ FTP server IP address...in acl..