topic FTP issue in Network Security

FTP issue

lkadlik — Mon, 11 Mar 2019 18:33:33 GMT

I have a server on a dmz that can ftp a file using the web browser and you can connect to the ftp server via the command line. However, when one of the developers tries to use a script to transfer the file it does not work. Additionally, when you connect to the ftp server via the command line and try to run the ls command you receive an error message saying " 500 illegal port".

I know that ftp is allowed on the firewall and ftp is part of the default global inspection policy. It looks like this is a PASV vs active issue. However in windows it does not allow you to swtich to passive mode.

Other then opening up all high level ports for this connection , does anyone have a suggestion on what/ if anything I can do on the firewall?

thank you

Re: FTP issue

Federico Coto Fajardo — Wed, 01 Sep 2010 14:25:15 GMT

Hi,

I'm not sure if this might help:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738

You can see what is the behavior of the normal default FTP inspection on the ASA and you can additionally create an FTP inspection map to specify different behavior.

Hope it helps.

Federico.

Re: FTP issue

praprama — Wed, 01 Sep 2010 14:37:12 GMT

Hey,

Could you provide details as to where is the client located with respect to the ASA and also IP address details of the ASA and the server along with the current ASA config (with altered IP addresses if needed)? We can go through that and see if we notice anything wrong on the ASA.

Thanks and Regards,

Prapanch

Re: FTP issue

lkadlik — Wed, 01 Sep 2010 15:33:48 GMT

The client is on the dmz and can connect to the ftp server via the command line and transfer the file using a browser.

a.b.c.f is the ftp server

a.b.c.g is the client

The relevant parts of the config are as follows:

ASA Version 8.0(3)

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address a.b.c.d 255.255.255.0 standby a.b.c.e

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.20.30.2 255.255.255.0 standby 10.20.30.3

interface GigabitEthernet0/2

interface GigabitEthernet0/2.1

description LAN Failover Interface

vlan 28

interface GigabitEthernet0/2.2

description STATE Failover Interface

vlan 29

interface GigabitEthernet0/3

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.50.2 255.255.255.0 standby 192.168.50.3

interface Management0/0

shutdown

nameif managment

security-level 100

no ip address

same-security-traffic permit inter-interface

object-group network FTP

network-object host a.b.c.f

object-group service FTP_service

service-object tcp eq ftp-data

service-object tcp eq ftp

service-object tcp range 5500 5700

access-list acl_Inside extended deny object-group Anonymous any object-group BlackList

access-list acl_Inside extended deny ip a.b.c.0 255.255.255.0 any

access-list acl_Inside extended deny ip 192.168.50.0 255.255.255.0 any

access-list acl_Inside extended deny ip host 255.255.255.255 any

access-list acl_Inside extended deny ip 127.0.0.0 255.0.0.0 any

access-list acl_Inside extended permit ip any any

access-list acl_DMZ extended permit tcp host 192.168.50.51 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.246 eq smtp

access-list acl_DMZ extended deny ip 192.168.50.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list acl_DMZ extended permit ip 192.168.50.0 255.255.255.0 any

access-list acl_Outside extended permit object-group FTP_service any object-group FTP

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu managment 1500

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

static (inside,outside) a.b.c.f 10.20.30.55 netmask 255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102 netmask 255.255.255.255

access-group acl_Outside in interface outside

access-group acl_Inside in interface inside

access-group acl_DMZ in interface dmz

policy-map Global_Policy

description Global Policy for Traffic Inspection

class Inspection_Default

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect ipsec-pass-thru

inspect mgcp

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect snmp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

service-policy Global_Policy global

prompt hostname context

Cryptochecksum:fd174eacd4f91d6b5b3ef484f5365abe

: end

Re: FTP issue

praprama — Wed, 01 Sep 2010 15:40:59 GMT

Hi,

You have mentioned that both the client and the serve rare on the DMZ. But in the config i see the below 2 static commands redircting a.b.c.f (server) and a.b.c.g (client) to the inside interface.

static (inside,outside) a.b.c.f 10.20.30.55 netmask 255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102 netmask 255.255.255.255

I am not quite sure about the topology yet. Could you clarify things a little bit more here?

Regards,

Prapanch

Re: FTP issue

lkadlik — Wed, 01 Sep 2010 21:47:58 GMT

It looks like this might be a barracuda issue. Thank you for taking the time to respond to me