topic Re: FTP trouble with ASA 5510 in Network Security

FTP trouble with ASA 5510

h-etchepare — Mon, 11 Mar 2019 15:48:26 GMT

Hi everybody,

I have trouble with FTP connections using a ASA5510.

I have 3 LANs connected to the FW:

LAN1 (inside): 172.16.1.0/24

LAN2 (outside) 10.52.64.0/24

LAN (DMZ) 172.16.0.8/29

My FTP server (IIS FTP Server)is on the DMZ with IP address 172.16.0.10.

The FTP traffic between outside and DMZ is configurated and works fine (connection, PUT, GET...)

But, the FTP traffic between inside and DMZ doesn't work properly.

The autehntification on the FTP server is OK but, after few seconds, I always have a disconnection message "connection closed by remote host"...

I have try using "no ftp mode passive" or "ftp mode passive" but it's the same.

The ports allowed are TCP 20 and TCP 21.

Anyone have an idea to fix this issue ?

Sincerely,

HerÃ©v

Re: FTP trouble with ASA 5510

John Blakley — Thu, 25 Jun 2009 15:42:10 GMT

Can you post "sh run policy-map"?

HTH,

John

Re: FTP trouble with ASA 5510

dcambron — Thu, 25 Jun 2009 15:44:57 GMT

I would try with this first.

(config)#policy-map global_policy

class inspection_default

inspect FTP

Re: FTP trouble with ASA 5510

h-etchepare — Thu, 25 Jun 2009 16:23:36 GMT

ftp-map GET

request-command deny get

ftp-map PUT

request-command deny put

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map outside-policy

class inspection_default

inspect ftp strict PUT

policy-map inside-policy

class inspection_default

inspect ftp strict GET

service-policy global_policy global

service-policy outside-policy interface outside

service-policy inside-policy interface inside

Re: FTP trouble with ASA 5510

dcambron — Thu, 25 Jun 2009 16:29:22 GMT

What are the loggs saying.

Re: FTP trouble with ASA 5510

h-etchepare — Thu, 25 Jun 2009 16:53:46 GMT

Currently, I cannot access to the FW (WAN link DOWN) but when I have try to troubleshoot, nothing really clear appears on the logs...

Re: FTP trouble with ASA 5510

h-etchepare — Thu, 25 Jun 2009 17:25:37 GMT

Currently, I cannot access the FW (Wan link down).

But nothing really interesting on the logs when I have done my troubleshooting.

Re: FTP trouble with ASA 5510

dcambron — Thu, 25 Jun 2009 18:31:59 GMT

please post the #show service-policy

Re: FTP trouble with ASA 5510

h-etchepare — Fri, 26 Jun 2009 04:29:43 GMT

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns maximum-length 512, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 103, drop 0, reset-drop 0

Inspect: h323 h225, packet 0, drop 0, reset-drop 0

Inspect: h323 ras, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

Inspect: esmtp, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: skinny, packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 0, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Interface outside:

Service-policy: outside-policy

Class-map: inspection_default

Inspect: ftp strict PUT, packet 360, drop 0, reset-drop 3

Interface inside:

Service-policy: inside-policy

Class-map: inspection_default

Inspect: ftp strict GET, packet 812, drop 282, reset-drop 17

Re: FTP trouble with ASA 5510

Azhar Munawar — Sat, 08 Aug 2009 08:50:02 GMT

Hi Herev,

I have the same problem I defined the one ftp server for from outside and its working fine while i trying to add one more ftp server define the same rule for this server its not working dont know thatr the problem i gets the same message as i trying to run put command transication table is established for 21 port but not for 20 which is data port.

Help me how can i resolve this problem.

Regards

Azhar

Re: FTP trouble with ASA 5510

Jayson Velasco — Tue, 11 Aug 2009 14:03:25 GMT

Hi Azhar:

If you're using an ACTIVE FTP client, ports 20 and 21 will work fine.

If your FTP clients use passive ftp, which is generally the case, you'd have to allow ports >1023 for the data session for FTP. Passive FTP works that way. And for ASA to allow established data connections, you should create an ACL allowing only port 20 for ftp-data.

Re: FTP trouble with ASA 5510

dcambron — Tue, 11 Aug 2009 14:12:46 GMT

Hi,

Let gonna do something. Clear the ASP drops with the command #Clear Asp Drop

then try to connect several times and then get the Asp drop with the command #Show Asp drop and send us that information.

Re: FTP trouble with ASA 5510

Jayson Velasco — Tue, 11 Aug 2009 15:17:17 GMT

What does your FTP server say?

I'm not an ASA guru but why allow only port 20 for ftp? Are you just concerned with Active FTP sessions?

Re: FTP trouble with ASA 5510

suschoud — Tue, 11 Aug 2009 22:08:47 GMT

Put in :

no service-policy outside-policy interface outside

no service-policy inside-policy interface inside

hTH

Sushil

TAC