topic Re: Issues with FTP ASA 5505 in Network Security

Issues with FTP ASA 5505

jill.kane — Mon, 11 Mar 2019 19:41:30 GMT

I am unable to get inbound ftp working. Here is my current running configuration. Can anyone help me? All I want is to ftp to the external ip address and have it hit the internal ftp server address of 192.168.1.3.

ASA Version 8.2(1)
!
hostname EOSasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list outside_access_in extended permit tcp any host 192.168.1.3 object-group DM_INLINE_TCP_1
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 99.23.119.78 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group EOS request dialout pppoe
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn group linkstation request dialout pppoe
vpdn group linkstation localname eossolutions@static.att.net
vpdn group linkstation ppp authentication pap
vpdn username eossolutions@static.att.net password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy Admins internal
group-policy Admins attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username adminjk password 4V9t4jYY5NUXyHQF encrypted privilege 0
username adminjk attributes
vpn-group-policy Admins
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map golbal_policy
class inspection_default
inspect ftp
!
prompt hostname context
Cryptochecksum:2d387046ad799a8a93b065724d24faf4
: end

Re: Issues with FTP ASA 5505

Federico Coto Fajardo — Fri, 28 Jan 2011 18:04:06 GMT

Hi,

This line should reference the public IP (instead than the private IP):

access-list outside_access_in extended permit tcp any host 192.168.1.3 object-group DM_INLINE_TCP_1

Federico.

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 18:08:35 GMT

Still no luck... any other ideas?

I can ftp internally when connected to the local ip. However, going to ftp://99.23.119.78 it times out.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname EOSasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list outside_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 99.23.119.78 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group EOS request dialout pppoe
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn group linkstation request dialout pppoe
vpdn group linkstation localname eossolutions@static.att.net
vpdn group linkstation ppp authentication pap
vpdn username eossolutions@static.att.net password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 18:33:32 GMT

I see that I am now getting hits in the ASDM but they are not coming through. What else should I change?

Any help would be greatly appreciated...

Thanks!

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 18:58:56 GMT

Hi Jill,

Can you post sh service-policy output ?

manish

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 19:06:01 GMT

I'm relatively new to this Cisco... so please bare with me. I ran the command "show service-policy" and it returned nothing but the standard prompt. Is there anything else I should be doing?

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 19:23:50 GMT

try this :-

asa(config)# service-policy golbal_policy global

Then test your ftp from outside network ( From client side )

Then do sh service-policy

Manish

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 19:36:58 GMT

Still no connection.

I ran sh service-policy and this is the output:

Global policy:
Service-policy: golbal_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0

Anything else?

It seems the ftp traffic is coming to the right place, its just not being sent to the internal ip address - thus never prompting for a login.

I see that there are hits.

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 19:46:01 GMT

Jill,

Is this the correct ip address that you are using 99.23.119.78 ?

Externally it only show port 443 & 22 open.

Manish

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 19:50:34 GMT

That is correct... the ip is 99.23.119.78.

How do I open port 21 for ftp?

Once again, this is the running config:

ASA Version 8.2(1)
!
hostname EOSasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list outside_access_in extended permit tcp any host 99.23.119.78 object-g roup DM_INLINE_TCP_1
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 99.23.119.78 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group EOS request dialout pppoe
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn group linkstation request dialout pppoe
vpdn group linkstation localname eossolutions@static.att.net
vpdn group linkstation ppp authentication pap
vpdn username eossolutions@static.att.net password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy Admins internal
group-policy Admins attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username adminjk password 4V9t4jYY5NUXyHQF encrypted privilege 0
username adminjk attributes
vpn-group-policy Admins
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map golbal_policy
class inspection_default
inspect ftp
!
service-policy golbal_policy global
prompt hostname context
Cryptochecksum:2d387046ad799a8a93b065724d24faf4
: end

Re: Issues with FTP ASA 5505

Federico Coto Fajardo — Fri, 28 Jan 2011 19:55:47 GMT

One question... when you attempt the FTP connection do you get an error on the client?

Are you able to FTP to your server from the inside (inside the ASA)?

Federico.

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 19:59:32 GMT

Inside the network I am able to ftp to ftp://192.168.1.3 and am prompted for credentials and am able to gain access.

And regardless of if I am inside the network or outside when try to ftp to ftp://99.23.119.78 it is unable to connect. It times out and is unable to access the folder; a connection with the server could not be established.

Try it out yourself and let me know.

Thanks, I really appreciate the help! I've been trying to get this to work for about 5 hours today and it shouldn't be that difficult!

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 20:00:46 GMT

Last time I saw your config you had :-

"static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255"

where are these lines now ?

if they are not there , then please add these lines :-

static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255

also

static (inside,outside) tcp interface 80 192.168.1.3 80 netmask 255.255.255.255

then clear xlate

Manish

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 20:06:33 GMT

Done.

Here is the updated config:

ASA Version 8.2(1)
!
hostname EOSasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list outside_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 99.23.119.78 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group EOS request dialout pppoe
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn group linkstation request dialout pppoe
vpdn group linkstation localname eossolutions@static.att.net
vpdn group linkstation ppp authentication pap
vpdn username eossolutions@static.att.net password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 20:06:46 GMT

The scan to your IP ADD looks

like this :-

[root@cola1 ~]# nmap -sS -vv 99.23.119.78

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-01-28 05:58 PST
DNS resolution of 1 IPs took 0.00s.
Initiating SYN Stealth Scan against 99-23-119-78.dsl.sfldmi.sbcglobal.net (99.23.119.78) [1680 ports] at 05:58
Discovered open port 22/tcp on 99.23.119.78
Discovered open port 443/tcp on 99.23.119.78
The SYN Stealth Scan took 27.75s to scan 1680 total ports.
Host 99-23-119-78.dsl.sfldmi.sbcglobal.net (99.23.119.78) appears to be up ... good.
Interesting ports on 99-23-119-78.dsl.sfldmi.sbcglobal.net (99.23.119.78):
Not shown: 1678 filtered ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https

Nmap finished: 1 IP address (1 host up) scanned in 28.138 seconds
Raw packets sent: 3361 (147.864KB) | Rcvd: 10 (544B)
[root@cola1 ~]#

Manish

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 20:07:37 GMT

Retest now , it shows :-

Discovered open port 22/tcp on 99.23.119.78
Discovered open port 443/tcp on 99.23.119.78
Discovered open port 80/tcp on 99.23.119.78
Discovered open port 21/tcp on 99.23.119.78

Manish

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 20:11:00 GMT

It works from outside now.

Index of ftp://99.23.119.78/

Up to higher level directory

   Name
       Size
       Last Modified

disk1

     12/30/2010
     2:13:00 PM

info

     7/14/2009
     12:00:00 AM

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 20:17:26 GMT

GREAT!!!!!!!

Thank you so much for being patient with me and helping me out!

I can finally move on!!! You'r awesome!

Re: Issues with FTP ASA 5505

jill.kane — Fri, 28 Jan 2011 20:39:45 GMT

One more question before you go...

I would like to allow customers to access the web interface of the ftp site (which is actually just a Buffalo Linkstation) and to do so it uses port 9000. What is the command that I should run to allow this? I added tcp,9000 to the outside (incoming rule) so that it now shows 9000, ftp, ftp-data and http.

Is this correct? Here's my config (hopefully for the last time):

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname EOSasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq 9000
access-list outside_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 99.23.119.78 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255
static (inside,outside) tcp interface 9000 192.168.1.3 9000 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group EOS request dialout pppoe
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn group linkstation request dialout pppoe
vpdn group linkstation localname eossolutions@static.att.net
vpdn group linkstation ppp authentication pap
vpdn username eossolutions@static.att.net password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

Re: Issues with FTP ASA 5505

manish arora — Fri, 28 Jan 2011 21:39:01 GMT

YES,

I do see authentication window on http://99.23.119.78:9000 .

Also, can you please mark Federico post as answered too , he was helping you out too.

Chrees

Manish