topic Firewall ASA Blocking ftp session in Network Security

Firewall ASA Blocking ftp session

zain_gabon — Mon, 11 Mar 2019 20:58:29 GMT

Dear Support,

I have a strange issue, since yesterday, my Cisco ASA not alloed ftp session.

when i tried a ftp on a server, i have this error message from my server.

C:\>ftp 10.3.1.18

> ftp: connect :Numéro d'erreur inconnu

c:\>

the server 10.3.1.18 is behind the firewall in my DMZ.

whith the packet tracer, the result is allowed.

Regards

Firewall ASA Blocking ftp session

varrao — Wed, 13 Jul 2011 11:31:26 GMT

Hi Zain,

Could you provide the configuration from the firewall?? we might need to take captures as well to isolate if its an issue with the ASA or the FTP server. Moreover can u tell me if you are usind active ftp or passive ftp??

Thanks,

Varun

Firewall ASA Blocking ftp session

zain_gabon — Wed, 13 Jul 2011 11:44:15 GMT

Dear Varun,

the ftp mode is here

ga-asa-fw01# sh run ftp

ftp mode passive

ga-asa-fw01# ga-asa-fw01# sh run ftp
ftp mode passive
ga-asa-fw01#

Regards

Firewall ASA Blocking ftp session

varrao — Wed, 13 Jul 2011 11:56:09 GMT

Hi Zain,

Thanks for the information, although this is not the right information that we need, this mode is the the mode for tftp from or to the firewall, not for connection going through the firewall. I would request you to provide me the running-config from your firewall so that I can take a look at it and suggest you the correct capture commands to identify the cause. Also do you get anything on the ASA logs when the connection is denied???

Varun

Firewall ASA Blocking ftp session

zain_gabon — Wed, 13 Jul 2011 12:17:28 GMT

Dear Varun,

Find my configuration

: Saved

: Written by enable_15 at 13:05:32.389 CA Wed Jul 13 2011

ASA Version 8.2(2)

hostname ga-asa-fw01

domain-name ga.airtel.com

enable password v6SfSHGPNOg9Rn4j encrypted

passwd 0lvchVuN4vCKANGn encrypted

names

name 10.3.4.0 Vlan10

name 192.168.12.0 Vlan12 description Users Vlan 12

name 10.3.4.15 LAN_DNS1

name 10.3.4.16 LAN_DNS2

name 217.113.64.1 PUBLIC_DNS1

name 217.113.64.2 PUBLIC_DNS2

name 213.208.241.41 HQSigosServer1

name 213.208.241.42 HQSigosServer2

name 213.208.241.43 HQSigosServer3

name 217.113.76.131 PublicIP_DMZIcsServer description ICS Public IP

name 10.3.1.17 DMZIcsServer description DMZ ICS Server

name 10.3.1.0 DMZNetwork description DMZ Network

name 10.3.1.18 DMZFtpServer description DMZ FTP Server

name 192.168.1.160 M-Commerce_160

name 192.168.1.188 M-Commerce_188

name 192.168.1.191 M-Commerce_191

name 192.168.1.193 M-Commerce_193

dns-guard

interface GigabitEthernet0/0

nameif WanInterface

security-level 0

ip address 10.10.10.10 255.255.255.224

ospf cost 10

interface GigabitEthernet0/1

speed 1000

duplex full

nameif LanInterface

security-level 100

ip address 10.3.4.2 255.255.252.0

ospf cost 10

interface GigabitEthernet0/2

speed 1000

duplex full

nameif DmzInterface

security-level 50

ip address 10.3.1.1 255.255.255.0

ospf cost 10

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone CA 1

dns domain-lookup WanInterface

dns domain-lookup LanInterface

dns domain-lookup DmzInterface

dns domain-lookup management

dns server-group DefaultDNS

name-server LAN_DNS1

name-server LAN_DNS2

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network LanNetworks

network-object Vlan13 255.255.255.0

network-object OfficeLANWifi 255.255.255.0

network-object Vlan10 255.255.252.0

network-object Vlan11 255.255.255.0

network-object host Consultant_Ericsson

network-object host consultant2_ERICSSON

network-object host Consultant4_Africa

network-object host Consultant3_ERICSSON

network-object host Consultant-ERICSSON

network-object Vlan14 255.255.255.0

network-object host Machine_Charly

network-object Vlan12 255.255.255.0

network-object DG-HOME 255.255.255.0

object-group service WEB_SERVICES

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp eq www

group-object web_sg

group-object vpn_sg

group-object messengers_sg

service-object tcp-udp eq 593

service-object tcp-udp eq 6001

service-object tcp-udp eq 6002

service-object tcp-udp eq 6004

service-object tcp-udp eq 7870

service-object tcp eq ssh

service-object tcp eq 8

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object tcp eq 3101

service-object tcp eq https

service-object tcp eq 9450

service-object udp eq 8889

service-object tcp eq 8181

object-group service dns_sg tcp-udp

port-object eq domain

object-group service ftp_sg tcp

port-object eq ftp

port-object eq ftp-data

object-group service ftp-http-ssh_sg tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service mssql_resolver_tcp tcp

port-object eq 1434

object-group service mssql_resolver_udp udp

port-object eq 1434

object-group service mssql_tcp tcp

port-object eq 1433

object-group service mssql_udp udp

port-object eq 1433

object-group service african1_tcp tcp

port-object eq 8030

object-group service erc_mgw_sg tcp

port-object eq 5001

object-group service mvoucher_tcp tcp

port-object eq 1024

object-group service rdc_tcp tcp

port-object eq 3389

object-group service http-https_sg tcp

port-object eq www

port-object eq https

access-list LanInterface_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group TechMahindra any

access-list LanInterface_access_in remark FULL ACCESS

access-list LanInterface_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any

access-list LanInterface_access_in extended permit object-group WEB_SERVICES object-group LanNetworks any

access-list LanInterface_access_in remark Internal Local DNS to Public ISP DNS

access-list LanInterface_access_in extended permit object-group DNS_SERVICES object-group LAN_DNS object-group PUBLIC_DNS_ISP

access-list LanInterface_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any

access-list LanInterface_access_in extended permit ip object-group LanNetworks DMZNetwork 255.255.255.0

access-list LanInterface_access_in extended permit object-group EDCH_FTP object-group EMM_GRP_EDCH object-group DM_INLINE_NETWORK_3

access-list LanInterface_access_in remark OfficeLANSigosBox any

access-list LanInterface_access_in extended permit ip host OfficeLANSigosBox object-group HQSigosServerGroup

access-list LanInterface_access_in remark LanPlanet_to_HQPlanetEVServers

access-list LanInterface_access_in extended permit ip host LAN_Planet_EV object-group HQPlanetEVServersGroup

access-list LanInterface_access_in extended permit ip MPBN_NETWORK 255.255.0.0 DMZNetwork 255.255.255.0

access-list LanInterface_access_in extended permit ip object-group RA-GABON object-group RA-AMSTERDAM

access-list LanInterface_access_in extended permit ip Vlan10 255.255.252.0 HQ_NETWORK 255.255.254.0

access-list LanInterface_access_in extended permit ip object-group M-Commerce_Grp object-group Oberthur_Net

access-list LanInterface_access_in extended permit ip host ZAIN_SERVER_VPN_BGFI host BGFI_SERVER_VPN

access-list LanInterface_access_in extended permit ip object-group COMVIVA-LOCAL-GROUP object-group COMVIVA-REMOTE

access-list LanInterface_access_in extended permit ip object-group PUSHMAIL-GABON object-group PUSHMAIL-AMS

access-list LanInterface_access_in extended permit ip object-group NEW-GABON object-group NEW-AMSTERDAM

access-list LanInterface_access_in extended permit ip host COMVIVA_SMSC_26 object-group NIGERIA-GROUP-VPN

access-list LanInterface_access_in extended permit ip host PPSMAIN host MACH-FTP-SERVER

access-list DmzInterface_access_in extended permit ip DMZNetwork 255.255.255.0 any

access-list WanInterface_access_in remark UniverseSMTP_to_GatewaySMTPServer & OutlookWebAccess

access-list WanInterface_access_in extended permit tcp any host MailPublic object-group owa_sg

access-list WanInterface_access_in remark Universe_to_DMZFtpServer

access-list WanInterface_access_in extended permit tcp any host PublicIP_DMZFtpServer object-group ftp_sg

access-list WanInterface_access_in remark Universe_to_DMZIcsServer

access-list WanInterface_access_in extended permit ip object-group HQSigosServerGroup host PublicIP_DMZIcsServer

access-list WanInterface_access_in remark Universe to Citrix

access-list WanInterface_access_in extended permit tcp any host PublicIP_DMZIcsServer object-group DM_INLINE_TCP_3

access-list WanInterface_access_in extended permit tcp any object-group ASTELLIA_GROUP_SERVERS object-group DM_INLINE_TCP_6

access-list WanInterface_access_in extended permit object-group OTA_SERVICES host Client_OTA host PublicIP_DMZFtpServer

access-list WanInterface_access_in extended permit object-group EDCH_FTP host EDCH_SERVER_VPN object-group EMM_GRP_EDCH

access-list WanInterface_access_in extended permit ip object-group Oberthur_Net object-group M-Commerce_Grp

access-list WanInterface_access_in extended permit object-group Monitoring host ROUTER_ISP interface WanInterface

access-list WanInterface_access_in extended permit ip host BGFI_SERVER_VPN host ZAIN_SERVER_VPN_BGFI

access-list WanInterface_access_in extended permit ip object-group COMVIVA-REMOTE object-group COMVIVA-LOCAL-GROUP

access-list WanInterface_access_in extended permit ip host MACH-FTP-SERVER host PPSMAIN

access-list LanInterface_nat0_outbound extended permit ip host PPSMAIN host EDCH_SERVER_VPN

access-list LanInterface_nat0_outbound extended permit ip object-group RA-GABON object-group RA-AMSTERDAM

access-list LanInterface_nat0_outbound extended permit ip Vlan10 255.255.252.0 HQ_NETWORK 255.255.254.0

access-list LanInterface_nat0_outbound extended permit ip MPBN_NETWORK 255.255.0.0 DMZNetwork 255.255.255.0

access-list LanInterface_nat0_outbound extended permit ip object-group M-Commerce_Grp object-group Oberthur_Net

access-list LanInterface_nat0_outbound extended permit ip object-group MASIYA_GROUP 192.168.4.0 255.255.255.0

access-list LanInterface_nat0_outbound extended permit ip object-group GroupLocal_VPN 192.168.6.0 255.255.255.0

access-list LanInterface_nat0_outbound extended permit ip Vlan10 255.255.252.0 DMZNetwork 255.255.255.0

access-list LanInterface_nat0_outbound extended permit ip host ZAIN_SERVER_VPN_BGFI host BGFI_SERVER_VPN

access-list LanInterface_nat0_outbound extended permit ip object-group COMVIVA-LOCAL-GROUP object-group COMVIVA-REMOTE

access-list LanInterface_nat0_outbound extended permit ip Vlan10 255.255.252.0 ROAMWARE_VPN_NETWORK 255.255.248.0

access-list LanInterface_nat0_outbound extended permit ip object-group NEW-GABON object-group NEW-AMSTERDAM

access-list LanInterface_nat0_outbound extended permit ip host NAT-FROM-NIGERIA object-group NIGERIA-GROUP-VPN

access-list LanInterface_nat0_outbound extended permit ip host PPSMAIN host MACH-FTP-SERVER

access-list WanInterface_2_cryptomap extended permit ip Vlan10 255.255.252.0 HQ_NETWORK 255.255.254.0

access-list WanInterface_nat0_outbound extended permit ip any any

access-list WanInterface_nat0_outbound extended permit ip any Vlan10 255.255.252.0

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_2

access-list WanInterface_mpc extended permit tcp any any object-group DM_INLINE_TCP_4

access-list DefaultRAGroup_splitTunnelAcl standard permit Vlan10 255.255.252.0

access-list NAT-Nigeria extended permit ip host COMVIVA_SMSC_26 object-group NIGERIA-GROUP-VPN

access-list WanInterface_1_cryptomap extended permit ip host PPSMAIN host EDCH_SERVER_VPN

access-list tcp-traffic extended permit tcp any any

access-list WanInterface_2_cryptomap_1 extended permit ip object-group M-Commerce_Grp object-group Oberthur_Net

access-list cap extended permit ip any host 192.168.158.103

access-list cap extended permit ip host 192.168.158.103 any

access-list cap extended permit ip any host 10.3.4.13

access-list cap extended permit ip host 10.3.4.13 any

access-list cap extended permit ip any host RiverBed

access-list cap extended permit ip host RiverBed any

access-list cap extended permit ip host 192.168.249.240 any

access-list WanInterface_5_cryptomap extended permit ip Vlan10 255.255.252.0 ROAMWARE_VPN_NETWORK 255.255.248.0

access-list WanInterface_6_cryptomap extended permit ip object-group NEW-GABON object-group NEW-AMSTERDAM

access-list WanInterface_7_cryptomap extended permit ip host NAT-FROM-NIGERIA object-group NIGERIA-GROUP-VPN

access-list WanInterface_8_cryptomap extended permit ip host PPSMAIN host MACH-FTP-SERVER

tcp-map allow-probes

tcp-options range 76 78 allow

pager lines 24

logging enable

logging timestamp

logging list EVENTS level errors class ip

logging monitor warnings

logging trap debugging

logging asdm informational

logging mail alerts

logging facility 16

logging class auth history emergencies

flow-export destination LanInterface SECURITYSERVER 2055

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu WanInterface 1500

mtu LanInterface 1500

mtu DmzInterface 1500

mtu management 1500

ip local pool RemoteMasiya 192.168.4.10-192.168.4.250 mask 255.255.255.0

ip local pool RemoteAirtel 192.168.6.10-192.168.6.250 mask 255.255.255.0

ip local pool ip-pool 192.168.7.10-192.168.7.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any LanInterface

icmp permit any DmzInterface

asdm image disk0:/asdm-625.bin

asdm location LTC_NETWORK 255.255.255.192 LanInterface

asdm location MPBN_MGMT 255.255.255.192 LanInterface

asdm location Server_121 255.255.255.255 LanInterface

asdm location 192.168.10.151 255.255.255.255 LanInterface

asdm location FlorisseDR 255.255.255.255 LanInterface

asdm location ROUTER_ISP 255.255.255.255 LanInterface

asdm location SECURITYSERVER 255.255.255.255 LanInterface

asdm location BGFI_SERVER_VPN 255.255.255.255 LanInterface

asdm location ZAIN_SERVER_VPN_BGFI 255.255.255.255 LanInterface

asdm location BAHRTI 255.255.255.255 LanInterface

asdm location Remote_SERVER 255.255.255.255 LanInterface

asdm location consultantMarketing 255.255.255.255 LanInterface

asdm location RiverBed 255.255.255.255 LanInterface

asdm location Public_Riverbed 255.255.255.255 LanInterface

asdm location PROXY_AFRICA 255.255.255.255 LanInterface

asdm location Consultant-ERICSSON 255.255.255.255 LanInterface

asdm location Consultant3_ERICSSON 255.255.255.255 LanInterface

asdm location Consultant4_Africa 255.255.255.255 LanInterface

asdm location DC 255.255.255.255 LanInterface

asdm location consultant2_ERICSSON 255.255.255.255 LanInterface

asdm location MOUSTINGA 255.255.255.255 LanInterface

asdm location CSR 255.255.255.0 LanInterface

asdm location CONSULTANT_IBM 255.255.255.255 LanInterface

asdm location 192.168.11.27 255.255.255.255 LanInterface

asdm location Consultant_COMVIVA 255.255.255.255 LanInterface

asdm location Consultant_Ericsson 255.255.255.255 LanInterface

asdm location Consultant_TECH-MAHINDRA 255.255.255.255 LanInterface

asdm location Consultant6_ERICSSON 255.255.255.255 LanInterface

asdm location RoamUpgrade_185 255.255.255.255 LanInterface

asdm location RoamUpgrade_186 255.255.255.255 LanInterface

asdm location RoamUpgrade_189 255.255.255.255 LanInterface

asdm location RoamUpgrade_194 255.255.255.255 LanInterface

asdm location MAMO_Server 255.255.255.255 LanInterface

asdm location CONSULTANT_DAF 255.255.255.255 LanInterface

asdm location Consultant2_COMVIVA 255.255.255.255 LanInterface

asdm location EMM_162 255.255.255.255 LanInterface

asdm location EMM_166 255.255.255.255 LanInterface

asdm location EMM_187 255.255.255.255 LanInterface

asdm location Machine_Charly 255.255.255.255 LanInterface

asdm location Call_Center_Network 255.255.255.0 LanInterface

asdm location 10.3.6.72 255.255.255.255 LanInterface

asdm location TM_Link7 255.255.255.255 LanInterface

asdm location TM_Link2 255.255.255.255 LanInterface

asdm location TM_Link4-6-8 255.255.255.255 LanInterface

asdm location TM_link1 255.255.255.255 LanInterface

asdm location TM_Link9 255.255.255.255 LanInterface

asdm location TM_Link10 255.255.255.255 LanInterface

asdm location TM_Link11 255.255.255.255 LanInterface

asdm location TM_Link12 255.255.255.255 LanInterface

asdm location TM_Link3-5 255.255.255.255 LanInterface

asdm location DG-HOME 255.255.255.0 LanInterface

asdm location ROAMWARE_VPN_NETWORK 255.255.248.0 LanInterface

asdm location 192.9.200.0 255.255.255.0 LanInterface

asdm location 192.168.246.0 255.255.254.0 LanInterface

asdm location 192.168.250.0 255.255.254.0 LanInterface

asdm location 192.168.252.0 255.255.254.0 LanInterface

asdm location 10.127.0.0 255.255.0.0 LanInterface

asdm location MACH-FTP-SERVER 255.255.255.255 LanInterface

no asdm history enable

arp timeout 14400

nat-control

global (WanInterface) 101 interface

global (WanInterface) 1 MailPublic netmask 255.0.0.0

global (WanInterface) 10 192.168.13.15 netmask 255.0.0.0

global (LanInterface) 1 interface

global (DmzInterface) 2 interface

nat (LanInterface) 0 access-list LanInterface_nat0_outbound

nat (LanInterface) 101 0.0.0.0 0.0.0.0

nat (DmzInterface) 1 DMZGatewaySMTP 255.255.255.255

nat (DmzInterface) 101 DMZNetwork 255.255.255.0

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 5900 OfficeLANSigosBox 5900 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer ssh OfficeLANSigosBox ssh netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51500 OfficeLANSigosBox 51500 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51501 OfficeLANSigosBox 51501 netmask 255.255.255.255

static (LanInterface,WanInterface) udp PublicIP_DMZIcsServer ntp OfficeLANSigosBox ntp netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 123 OfficeLANSigosBox 123 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer telnet OfficeLANSigosBox telnet netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer ident OfficeLANSigosBox ident netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51605 OfficeLANSigosBox 51605 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51505 OfficeLANSigosBox 51505 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp 217.113.76.152 sqlnet OPTIMA sqlnet netmask 255.255.255.255

static (LanInterface,WanInterface) tcp 217.113.76.152 ftp OPTIMA ftp netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZFtpServer ssh OTA_SERVER ssh netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZFtpServer 8443 OTA_SERVER 8443 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp PublicIP_DMZFtpServer 8080 OTA_SERVER 8080 netmask 255.255.255.255

static (LanInterface,WanInterface) tcp MailPublic www OfficeLANExFrontEndServer www netmask 255.255.255.255

static (LanInterface,WanInterface) tcp MailPublic https OfficeLANExFrontEndServer https netmask 255.255.255.255

static (LanInterface,WanInterface) tcp Public_Astellia_136 ftp ASTELLIA_TA115 ftp netmask 255.255.255.255

static (LanInterface,WanInterface) tcp Public_Astellia_136 www ASTELLIA_TA115 www netmask 255.255.255.255

static (LanInterface,WanInterface) tcp Public_Astellia_137 www ASTELLIA_TA116 www netmask 255.255.255.255

static (LanInterface,WanInterface) tcp Public_Astellia_137 ftp ASTELLIA_TA116 ftp netmask 255.255.255.255

static (LanInterface,WanInterface) tcp Public_Astellia_138 www ASTELLIA_TA117 www netmask 255.255.255.255

static (LanInterface,WanInterface) tcp Public_Astellia_138 ftp ASTELLIA_TA117 ftp netmask 255.255.255.255

static (DmzInterface,WanInterface) tcp MailPublic smtp DMZGatewaySMTP smtp netmask 255.255.255.255

static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255

static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255

static (DmzInterface,WanInterface) tcp PublicIP_DMZIcsServer https DMZIcsServer https netmask 255.255.255.255

static (DmzInterface,WanInterface) tcp PublicIP_DMZIcsServer www DMZIcsServer www netmask 255.255.255.255

access-group WanInterface_access_in in interface WanInterface

access-group LanInterface_access_in in interface LanInterface per-user-override

access-group DmzInterface_access_in in interface DmzInterface

route WanInterface 0.0.0.0 0.0.0.0 ROUTER_ISP 1

route LanInterface OfficeLANWifi 255.255.255.0 10.3.4.1 1

route LanInterface MPBN_NETWORK 255.255.0.0 10.3.4.93 1

route LanInterface 192.168.1.0 255.255.255.0 10.3.4.93 1

route LanInterface 192.168.3.0 255.255.255.0 10.3.4.1 1

route LanInterface Vlan8 255.255.255.0 10.3.4.1 1

route LanInterface Vlan11 255.255.255.0 10.3.4.1 1

route LanInterface Vlan12 255.255.255.0 10.3.4.1 1

route LanInterface Vlan13 255.255.255.0 10.3.4.1 1

route LanInterface Vlan14 255.255.255.0 10.3.4.1 1

route LanInterface DV_Network 255.255.255.0 10.3.4.1 1

route LanInterface PK8_Network 255.255.255.0 10.3.7.100 1

route LanInterface 192.168.140.0 255.255.255.0 10.3.4.1 1

route LanInterface 192.168.150.0 255.255.255.0 10.3.4.1 1

route WanInterface 192.168.158.103 255.255.255.255 ROUTER_ISP 1

route LanInterface Vlan160 255.255.255.0 10.3.4.1 1

route LanInterface Oloumi_Network 255.255.255.0 10.3.4.1 1

route LanInterface Call_Center_Network 255.255.255.0 10.3.7.100 1

route LanInterface Vlan180 255.255.255.0 10.3.4.1 1

route LanInterface 192.168.181.0 255.255.255.0 10.3.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPN-RADIUS protocol radius

aaa-server VPN-RADIUS (LanInterface) host SECURITYSERVER

key cisco

aaa-server VPN-RADIUS (LanInterface) host Network_Server

key cisco

aaa authentication telnet console VPN-RADIUS LOCAL

aaa authentication http console VPN-RADIUS LOCAL

aaa authentication ssh console VPN-RADIUS LOCAL

aaa authorization command LOCAL

http server enable

http Vlan10 255.255.252.0 LanInterface

http 192.168.1.0 255.255.255.0 management

http Vlan13 255.255.255.0 LanInterface

http Vlan14 255.255.255.0 LanInterface

snmp-server host LanInterface Roland_laptop community TexasAdmin version 2c udp-port 161

snmp-server host LanInterface SECURITYSERVER community TexasAdmin version 2c

snmp-server host LanInterface 10.3.6.27 community TexasAdmin

snmp-server location HQ

snmp-server contact IT Network

snmp-server community TexasAdmin

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

svc rekey time 30

svc rekey method ssl

svc ask none default webvpn

customization value DfltCustomization

group-policy phone-policy internal

group-policy phone-policy attributes

vpn-tunnel-protocol svc

group-policy AirtelPolicy internal

group-policy AirtelPolicy attributes

banner value WELCOME TO AIRTEL GABON VPN ACCESS

dns-server value 10.3.4.16 10.3.4.15

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Roland

class-map netflow-export-class

match access-list netflow-export

class-map global-class

match access-list global_mpc_1

class-map tcp-traffic

match access-list tcp-traffic

class-map inspection_default

match default-inspection-traffic

class-map voice

match dscp ef

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class tcp-traffic

set connection advanced-options allow-probes

class global-class

csc fail-open

class netflow-export-class

flow-export event-type all destination SECURITYSERVER

service-policy global_policy global

imap4s

server OfficeLANExBackEndServer

no outstanding

authorization-server-group LOCAL

default-group-policy DfltGrpPolicy

authentication piggyback

pop3s

server OfficeLANExBackEndServer

no outstanding

authorization-server-group LOCAL

default-group-policy DfltGrpPolicy

authentication piggyback

smtps

server OfficeLANExBackEndServer

no outstanding

default-group-policy DfltGrpPolicy

authentication piggyback

authorization-dn-attributes C CN

prompt hostname context

Firewall ASA Blocking ftp session

zain_gabon — Wed, 13 Jul 2011 13:30:33 GMT

Dear Varun

When i tried a ftp connexion, i have this messages

Roland_laptop|1487|DMZFtpServer|21|Built outbound TCP connection 121446 for DmzInterface:DMZFtpServer/21 (DMZFtpServer/21) to LanInterface:Roland_laptop/1487 (Roland_laptop/1487)

DMZFtpServer|21|Roland_laptop|1487|Teardown TCP connection 121441 for DmzInterface:DMZFtpServer/21 to LanInterface:Roland_laptop/1487 duration 0:00:00 bytes 0 TCP Reset-O

Roland_laptop|1487|DMZFtpServer|21|Built outbound TCP connection 121438 for DmzInterface:DMZFtpServer/21 (DMZFtpServer/21) to LanInterface:Roland_laptop/1487 (Roland_laptop/1487)

Firewall ASA Blocking ftp session

varrao — Wed, 13 Jul 2011 13:41:58 GMT

Hi Zain,

I'll have a look at it, plz give me some time.

Thanks,

Varun

Firewall ASA Blocking ftp session

varrao — Wed, 13 Jul 2011 18:31:14 GMT

Hi Zain,

I have gone through the error messages and you are trying to access the FTP server on the DmzInterface from a laptop on the LanInterface but you do not have any static command for it, the only command taht you ahve is for DMA to WAN interface:

static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255

static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255

You do not have any statement for DMZ to LAN interface, was it working fine earlier??????

I woudl suggest you to add the following nats:

static (DmzInterface,LanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255

static (DmzInterface,LanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255

Try it and let me know.

Thanks,

Varun

Firewall ASA Blocking ftp session

zain_gabon — Thu, 14 Jul 2011 07:22:11 GMT

Thnaks Varun

It's working fine now.

But before perfom your suggest, i put the ASA in factoty default then put the backup config again.

suddenly, it's working fine

Thanks a lot for your time

Firewall ASA Blocking ftp session

varrao — Thu, 14 Jul 2011 07:28:55 GMT

votre accueil Zain !!!!!!!

Varun