topic How to enable FTP in management port of an ASA 5525X? in Network Security

How to enable FTP in management port of an ASA 5525X?

blue phoenix — Fri, 21 Feb 2020 13:35:05 GMT

Hi all,
I can ping the management port of my ASA from my PC (remote VPN to the client), all other ports are in shutdown (pre-prod stage)
I can't ping however from ASA to my PC that is now a vpn client of the remote client I am working on.

Global policy below:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
* As you can see icmp and ftp are allowed

Management has the same security level as the inside (100)
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

ip verify reverse-path interface management

What is missing in my config in order for ping to work from my ASA and as well make ftp work so I can transfer new packages from my PC to my ASA?

Please let me know what else you need for me to capture....

Your inspection policies have

Marvin Rhoads — Fri, 11 Sep 2015 13:44:57 GMT

Your inspection policies have nothing to do with allowing or preventing access.

Traffic cannot flow through the ASA to the management port. That is prevented by design.

If all ports are shutdown except management then you should be able to access management directly from whatever network it is connected to. If you're on a remote network, you simply need to have a route defined and bound to management and allow the ssh or http from that network for cli and ASDM access respectively.

Thanks,I have access to the

blue phoenix — Fri, 11 Sep 2015 15:22:39 GMT

Thanks,

I have access to the management port, the management port is routable in the network for Inside and vpn users. The ASA I am configuring is in it's staging status and not yet in production.

So I don't know if I am doing this right or wrong since by default if the IP is routable and reachable you can ftp into it right if in the global policy it is allowed?

I tried to also configure an access-list permitting any any to the inbound of the management. And binded that to an access-group in the management interface as well... No joy....

So what you are saying is that by default and design, management port is just purely for management and can't be used for transferring files to and from?

I noted that you cannot

Marvin Rhoads — Fri, 11 Sep 2015 21:34:46 GMT

I noted that you cannot access the management interface THROUGH the ASA. If you're connecting directly TO the management address, then it works fine.

The global policy and inspect rules it references have nothing to do with management traffic, ftp or otherwise.

To copy files onto the ASA you can use ftp (ASA is the ftp client so you need to initiate from the ASA - not "ftp into it"), scp, tftp or http. HTTP(s) is the method used when we transfer via ASDM.

In any of those cases we need to allow ssh (for the cli-based methods) or http (for ASDM) from your client address or network in the ASA configuration. The commands look something like:

ssh 192.168.1.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 management

( of course substituting your network and netmask)

@Marvin Rhoads,Hi, do you

blue phoenix — Tue, 15 Sep 2015 16:09:35 GMT

@Marvin Rhoads,

Hi, do you mean that I can transfer files from my PC (tftp/ftp server) to the ASA via the managament port or not?

thanks,

Yes you can. I do it all the

Marvin Rhoads — Tue, 15 Sep 2015 16:13:47 GMT

Yes you can. I do it all the time.

You just need to run the

copy tftp://<your pc address>/<file name> disk0:/

... command (or with ftp and username / password for ftp) on the ASA.

The feature has been available since the ASA was known as a Pix.

Hi,That is what is bothering

blue phoenix — Wed, 16 Sep 2015 08:37:05 GMT

Hi,

That is what is bothering me... I tried the usual copy ftp: disk:0
Asked me of the remote IP:
Asked me of the name of the file:
Asked me of the name for the destination file:

I tried this command as well:

copy ftp://192.168.80.239/C:\Users\rbilan\Downloads\ASA disk0:

still permission denied, do I need the complete syntax to work as below?

copy ftp://192.168.80.239/C:\Users\rbilan\Downloads\ASA disk0:/

Also if the copying of files has been around since the PIX, could you point me to a link that explains the step by step procedure for this using the management port? Sorry can't seem to find any link for 9.1.2

Your copy ftp syntax is

Marvin Rhoads — Wed, 16 Sep 2015 13:42:48 GMT

Your copy ftp syntax is incorrect.

The ftp server software on your PC should have an option to set the home directory of the configured ftp username. For instance, set it to "C:\Users\rbilan\Downloads\ASA" in the ftp server software configuration. Once that is done, any remote ftp operation uses that as the starting point to look for the remote file.

So if you do that and want to copy the file "asa915-k8.bin" onto your ASA from that home directory, you would simply use:

copy ftp://192.168.80.239/asa915-k8.bin disk0:

You can optionally include the username and password in the copy command as follows (substituting your values):

copy ftp://username:password@192.168.80.239/asa915-k8.bin disk0:

The copy command syntax is covered in the ASA command reference.