topic ASA 8 MPF FTP Inspection Blocks FTP over SSL in Network Security

ASA 8 MPF FTP Inspection Blocks FTP over SSL

Mike Hendriks — Mon, 11 Mar 2019 19:40:35 GMT

I followed the Configuration Example below to configure MPF FTP inspection with regular expressions.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aee442.shtml

I recently had a user complain that they were unable to connect to an FTP site despite my explicit allowance in the configuration. See the attached image for the output they provided me.

The following is my MPF configuration for FTP. Any advice would be appreciated. Thanks in advance,

regex FTP_SITE1 "([0-9A-Za-z])*[Ff][Tt][Pp]\.[Aa][Kk][Cc][Ee][Ll][Ee][Rr][Aa][Nn][Tt]\.[Cc][Oo][Mm]"
regex FTP_SITE2 "Davis \+ Henderson"
regex FTP_SITE3 "Fincentric Secure FTP"

class-map type regex match-any FTP_SITES
match regex FTP_SITE1
match regex FTP_SITE2
match regex FTP_SITE3

class-map type inspect ftp match-all FTP_class_map
match not server regex class FTP_SITES

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect ftp

policy-map type inspect ftp FTP_INSPECT_POLICY
parameters
class FTP_class_map
reset log

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Federico Coto Fajardo — Wed, 26 Jan 2011 21:57:24 GMT

Mike,

The FTP site that the user is trying to access is one of the FTP_SITES?

The global_policy is inspecting FTP (default inspection).

The FTP_INSPECT_POLICY resets FTP for the class FTP_class_map but do you have it applied with the

service-policy?

If you issue a ''show service-policy inspect ftp'' it will show if the ASA is dropping or

resetting the FTP packets.

Federico.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Mike Hendriks — Wed, 26 Jan 2011 22:27:45 GMT

Apologies...

First, my inspect ftp line should actually read

inspect ftp strict FTP_INSPECT_POLICY

The config I pasted in was the workaround I'm using.

Second, see the following output from Core FTP when attempting to connect, as well as the output from the show service-policy inspect ftp

Core FTP

Resolving ftp2.fincentric.com...
Connect socket #1140 to 72.15.150.51, port 21...
220 Fincentric Secure FTP for WinSock ready...
AUTH SSL
234 AUTH command OK. Initializing SSL connection.
SSL/TLS error - 0, SSL error - 1, error:00000001:lib(0):func(0):reason(1)
Winsock error 10060 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. )
SSL Connection not established
Connection Failed
disconnected

ASA show service-policy inspect ftp

tritcasa5510# show service-policy inspect ftp

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp strict FTP_INSPECT_POLICY, packet 17, drop 8, reset-drop 0
               Cmd not terminated drop          8
        class FTP_class_map
          reset log, packet 0

I'm not entirely sure what to make of the 8 drops and cmd not terminated drop counters.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Federico Coto Fajardo — Wed, 26 Jan 2011 22:46:31 GMT

From the error:
(A connection attempt failed because the connected party did not properly respond after a period of time,
or established connection failed because connected host has failed to respond. )
Could it have been that there was no response from the server?

If on the other hand, FTP is behaving in a way that the ASA will not accept (FTP inspection), we can capture the traffic and check the reason:

access-list FTPin permit ip host x.x.x.x host y.y.y.y
access-list FTPin permit ip host y.y.y.y host x.x.x.x
capture capin access-list FTPin interface inside

access-list FTPout permit ip host x.x.x.x host y.y.y.y
access-list FTPout permit ip host y.y.y.y host x.x.x.x
capture capout access-list FTPout interface outside

Federico.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Mike Hendriks — Wed, 26 Jan 2011 23:03:02 GMT

coto.fusionet wrote:

If I change inspect ftp strict FTP_INSPECT_POLICY to simply inspect ftp, the connection works normally.

I will set up the capture and report back... I'm not familiar with what those commands do - Will this create a .cap file in the ASA's file system or something similar?

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Federico Coto Fajardo — Wed, 26 Jan 2011 23:05:43 GMT

Yes, and you can view the capture on the ASA itself, but it's way better to export them to Wireshark.

Here's the explanation:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c1.html#wp2147322

Federico.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Mike Hendriks — Wed, 26 Jan 2011 23:08:14 GMT

That link is apparently forbidden to me??

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Federico Coto Fajardo — Wed, 26 Jan 2011 23:14:01 GMT

Mike,

Most likely the behavior of this FTP connection is not compliant with FTP RFCs and that's why the ASA drops the connection (caused by the strict option)

Please check this link for the FTP inspection behavior:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1821726

Check for the ASA ''capture'' command.

Federico.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Mike Hendriks — Wed, 26 Jan 2011 23:52:43 GMT

Thanks Federico, based on that link, I would tend to agree with you. ASA FAQs also indicate that strict inspection is not supported with FTPS.

Unfortunately, this also forces me to disable my regexp filtering as I am unable to specify a policy-map name with the inspect ftp command unless I also specify the strict keyword.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Federico Coto Fajardo — Thu, 27 Jan 2011 01:46:11 GMT

Mike, you're right but if the problem is with this one site, you can specify the FTP inspection to apply to all destinations but this one...

Not sure if it will work for you, just a thought.

Federico.

Re: ASA 8 MPF FTP Inspection Blocks FTP over SSL

Mike Hendriks — Fri, 28 Jan 2011 00:01:13 GMT

I would be very interested as it does appear that only this one site is affected. Unfortunately, looking at the config, it seems a little bit beyond my understanding of the ASA's MPF. Any insight into that process you may have would be appreciated.