https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949251#M917592 <HTML><HEAD></HEAD><BODY><P>"Moving from Checkpoint to ASA." That's a mistake if you asked me.</P><P>You will lose a lot of functions in Checkpoint that you have taken </P><P>for granted. Then again, it may be a corporate decision that you</P><P>do not have a choice.</P><P></P><P>1- you do not need to allow all IP outbound to this particular</P><P>destination. You just need to allow tcp high-ports to this</P><P>destination, not IP,</P><P></P><P>2- Ask the folks on the other end if they can restrict the</P><P>number of tcp high-ports that FTPs can assign. This can</P><P>be done very easily on both Microsoft IIS Server and vsFTPd</P><P>server for Linux. In vsFTPd, check the vsftpd.conf file and</P><P>you will see it there. Normally, you want to restrict the</P><P>ftp-data ports in pasv mode between 2000 and 2100. </P><P></P><P>Easy right?</P></BODY></HTML> Fri, 27 Jun 2008 21:09:28 GMT cisco24x7 2008-06-27T21:09:28Z https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949247#M917584 <P>Moving from Checkpoint to ASA. Migrated about 20% of my policies earlier this week and had to back out one. ftps from 10.60.10.205 (inside) destined for 65.217.149.5 (prod-outside). Users got error message 500 Illegal PORT range when entering pasv mode...</P><P></P><P>220 pw-sftp-cl1.nmhcrx.com FTP server (Version 6.00LS+TLS) ready.</P><P>AUTH SSL</P><P>234 AUTH SSL command successful.</P><P>SSL Session Started.</P><P>Host type (1): Automatic detect</P><P>USER myuser</P><P>331 Password required for myuser.</P><P>PASS (hidden)</P><P>230 User myuser logged in, access restrictions apply.</P><P>SYST</P><P>215 UNIX Type: L8</P><P>Host type (2): UNIX (standard)</P><P>PBSZ 0</P><P>200 PBSZ command successful (PBSZ=0).</P><P>PROT C</P><P>504 PROT command not available in FTP-SSL compatibility mode.</P><P>PWD</P><P>257 "/" is current directory.</P><P>TYPE A</P><P>200 Type set to A.</P><P>PASV</P><P>227 Entering Passive Mode (65,217,149,5,165,146)</P><P>connecting data channel to 65.217.149.5:165,146(42386)</P><P>PORT 10,60,10,205,11,71</P><P>500 Illegal PORT range rejected.</P><P>Port failed 500 Illegal PORT range rejected.</P><P>QUIT</P><P>221 Goodbye.</P><P>Connection closed.</P><P></P><P>Ftp inspection is enabled. Do I need to exclude this from inspection because it is encrypted? If so, how do I handle the data channel and associated dynamic ports? </P><P>Tried fixup protocol ftp 21 based upon feedback in another NetPro discussion.</P><P>Also modified policy and nat rules to permit both tcp/ftp and tcp/ftp-data. </P><P></P><P>I'm new to the ASA and not having much luck with TAC. Most recent feedback from TAC "Let me do some research about it since I am not sure if FTPS is supported on ASA firewalls. I will keep you posted." Any suggestions?</P><P></P><P>Relevant configuration items.</P><P>NAT...</P><P>access-list inside_nat_outbound_1 extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_12</P><P>nat (inside) 10 access-list inside_nat_outbound_1</P><P></P><P>ACL...</P><P>access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings</P><P>access-group from-inside in interface inside</P><P></P><P>(DM_INLINE_TCP_12 and DM_INLINE_TCP_13 object-groups include tcp/ftp and tcp/ftp-data)</P><P></P><P>Inspection Policy...</P><P>access-list mss-exceeded-acl extended permit ip any any inactive</P><P></P><P>class-map mss-exceeded-map</P><P> match access-list mss-exceeded-acl</P><P></P><P>tcp-map mss-exceeded-map</P><P> exceed-mss allow</P><P></P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P> id-randomization</P><P> id-mismatch action log</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect netbios</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect skinny</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect sunrpc</P><P> inspect tftp</P><P> inspect sip</P><P> inspect xdmcp</P><P> inspect icmp</P><P> inspect http</P><P> inspect ils</P><P> inspect dns preset_dns_map</P><P> inspect ipsec-pass-thru</P><P> class mss-exceeded-map</P><P> set connection advanced-options mss-exceeded-map</P><P>!</P><P>service-policy global_policy global</P><P></P><P></P> Mon, 11 Mar 2019 13:06:04 GMT https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949247#M917584 thomsmith 2019-03-11T13:06:04Z https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949248#M917586 <HTML><HEAD></HEAD><BODY><P>try this</P><P></P><P>no access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings </P><P>access-list from-inside extended permit ip net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com</P><P>access-group from-inside in interface inside </P><P></P></BODY></HTML> Thu, 26 Jun 2008 21:55:22 GMT https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949248#M917586 a.alekseev 2008-06-26T21:55:22Z https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949249#M917588 <HTML><HEAD></HEAD><BODY><P>Unfortunately my user and their login credentials have left for the day. I'll try tomorrow am EST. Unsure this will make any difference. I'm not seeing any drops in the logs.</P></BODY></HTML> Thu, 26 Jun 2008 22:05:56 GMT https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949249#M917588 thomsmith 2008-06-26T22:05:56Z https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949250#M917590 <HTML><HEAD></HEAD><BODY><P>It appears outbound request for data channel is being blocked. The server side randomly assigns a high port in pasv mode. My client then attempts to connect on this high port and is being blocked. FTP inspection would normally pick this up and allow the high port. It doesn't work here because all of the payload is encrypted. Interim fix is allow all ip outbound to this particular destination. Not really a good long term solution. Any better suggestions out there?</P></BODY></HTML> Fri, 27 Jun 2008 18:50:35 GMT https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949250#M917590 thomsmith 2008-06-27T18:50:35Z https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949251#M917592 <HTML><HEAD></HEAD><BODY><P>"Moving from Checkpoint to ASA." That's a mistake if you asked me.</P><P>You will lose a lot of functions in Checkpoint that you have taken </P><P>for granted. Then again, it may be a corporate decision that you</P><P>do not have a choice.</P><P></P><P>1- you do not need to allow all IP outbound to this particular</P><P>destination. You just need to allow tcp high-ports to this</P><P>destination, not IP,</P><P></P><P>2- Ask the folks on the other end if they can restrict the</P><P>number of tcp high-ports that FTPs can assign. This can</P><P>be done very easily on both Microsoft IIS Server and vsFTPd</P><P>server for Linux. In vsFTPd, check the vsftpd.conf file and</P><P>you will see it there. Normally, you want to restrict the</P><P>ftp-data ports in pasv mode between 2000 and 2100. </P><P></P><P>Easy right?</P></BODY></HTML> Fri, 27 Jun 2008 21:09:28 GMT https://community.cisco.com/t5/network-security/checkpoint-to-asa-migration-problems-with-pasv-ftps/m-p/949251#M917592 cisco24x7 2008-06-27T21:09:28Z