Implicit Rule prevents FTP from ASA to adjacent server

richard-ziga — Fri, 21 Feb 2020 15:30:42 GMT

This is my lab, I need to transfer files to and from my ftp server filezilla, I am running this on GNS3 and doing a wire shark capture I see no ftp packets leaving the firewall - I don't know how to interpret the output from phase 2...

ciscoasa/act# packet-tracer in log tcp 192.168.65.3 ftp 192.168.65.1 ftp de

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.65.1 using egress ifc log

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f605d9651f0, priority=501, domain=permit, deny=true
        hits=16, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.65.3, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=log, output_ifc=any

Result:
input-interface: log
input-status: up
input-line-status: up
output-interface: log
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa/act#

#########################################

ASA Version 9.8(1)
!
hostname ciscoasa
domain-name zigalab.com
enable password
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd iWqg9uTDs.mRfZdK encrypted
names
ip local pool engineering 10.2.0.50-10.2.0.100 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif log
security-level 100
ip address 192.168.65.3 255.255.255.0 standby 192.168.65.4
!
interface GigabitEthernet0/1
shutdown
nameif test
security-level 0
ip address 10.2.2.1 255.255.255.0 standby 10.2.2.3
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif Webservers
security-level 100
ip address 10.2.0.155 255.255.255.0 standby 10.2.0.156
!
interface GigabitEthernet0/6
nameif HA-link
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.3
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup Webservers
dns server-group DefaultDNS
domain-name zigalab.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Ubuntu
host 192.168.56.1
object network Webservers
range 10.2.0.11 10.2.0.33
object-group network UbuntuDev
network-object object Ubuntu
access-list InternalSubnets standard permit 10.2.0.0 255.255.255.0
access-list to-log extended permit ip any any log
access-list allow-all extended permit ip any any log
access-list out-log extended permit ip any any log
pager lines 23
logging enable
logging timestamp
logging list notif-cfg-changes level warnings
logging list notif-cfg-changes message 111008-111010
logging list buffer-logging message 106001-106102
logging buffer-size 64000
logging monitor debugging
logging buffered debugging
logging trap warnings
logging history warnings
logging asdm warnings
logging host log 192.168.65.50
logging debug-trace
logging message 106007 level warnings
logging message 113008 level warnings
logging message 113012 level warnings
logging message 611101 level warnings
logging message 605005 level warnings
logging message 111009 level warnings
logging message 111008 level warnings
logging message 111010 level warnings
mtu log 1500
mtu test 1500
mtu Webservers 1500
mtu HA-link 1500
failover
failover lan unit primary
failover lan interface HA-asdm-link GigabitEthernet0/2
failover link HA-asdm-link GigabitEthernet0/2
failover interface ip HA-asdm-link 10.7.7.1 255.255.255.0 standby 10.7.7.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
access-group to-log in interface log
access-group out-log out interface log
access-group allow-all global
route log 0.0.0.0 0.0.0.0 192.168.56.1 1
route log 0.0.0.0 0.0.0.0 192.168.65.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
http server enable
http 192.168.56.0 255.255.255.0 log
http 192.168.65.0 255.255.255.0 log
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0_VPNlab
enrollment self
subject-name CN=ciscoasa
keypair vpnlabkey
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
    308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
    36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
    6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
    79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
    6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
    69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
    3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
    e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
    b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
    ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
    7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
    04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
    75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
    cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
    3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
    30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
    0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
    06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
    23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
    2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
    33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
    982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
    097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
    e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
    db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
    e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
    e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
    6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
    183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
crypto ca certificate chain ASDM_TrustPoint0_VPNlab
certificate 5e9c6f5a
    308202ee 308201d6 a0030201 0202045e 9c6f5a30 0d06092a 864886f7 0d01010b
    05003039 3111300f 06035504 03130863 6973636f 61736131 24302206 092a8648
    86f70d01 09021615 63697363 6f617361 2e7a6967 61686f6d 652e636f 6d301e17
    0d313830 31333031 39323735 325a170d 32383031 32383139 32373532 5a303931
    11300f06 03550403 13086369 73636f61 73613124 30220609 2a864886 f70d0109
    02161563 6973636f 6173612e 7a696761 686f6d65 2e636f6d 30820122 300d0609
    2a864886 f70d0101 01050003 82010f00 3082010a 02820101 0086ef37 fc524640
    3137bb2b 8915e593 c01a7e4e e237b280 9403b267 59052365 0fb8e7eb fd4549e3
    73060935 08cc3dd8 3b464179 d59a83d2 7169dd67 f0844db2 b182e6ee 42f64f1a
    9ecdacd8 3c3ff135 a5853260 f3e328a4 c4fa80a3 3a0b8268 6464889e d087bc29
    69298148 54c90c20 e607429f 668f8f76 f09dd5e9 ffa44511 ceba9245 6320add3
    6848af1a 0b679c6b 70b6da23 bc13d38a b4161253 51fb8a8f 07e4aaa3 b7679b97
    c32681ef 1acd0b85 8d03b33c 0c0fdf31 06a2cd59 7be3957a 7985b11b 1f7dc9ba
    9990c47b 4f8d211a 1fe0f567 7a7ac7fb 0710193a f6d76bd9 6870532a 87a42d51
    53b857ad 356323c9 b07aeb9f 6ad5a683 7a64d8a5 c376f9a7 33020301 0001300d
    06092a86 4886f70d 01010b05 00038201 01005dde 3eab0bb2 677eb66e d1fac648
    e6b129b4 2bc53fef ffaa7162 93c1bcf3 bfae7107 ef8805cc 5da24fff f2832fc2
    549010c1 919685e1 d3427eb0 1f1e33aa 07fafbe3 19f8cf98 80785a59 1919bd22
    c3b790d0 6f3af2d1 c438eb17 4cedbed8 4e0660d2 ec671a2e 43baf526 6973978a
    29bef9fc 2de72396 f41a2109 5ee72323 92010e7e 40991ba6 c07f98c5 72e1ace5
    ee5efec3 64bb77d6 d92532b3 3c898ae9 d62a386d 7c125193 080f99c2 93732cdd
    4abc0355 ca9b6dac 530b63da 9bcd069e 65bbf633 31aabeb9 cab53300 35b53846
    aa6d8a53 102d9e93 6c57c586 a8170613 a89aaf3d 09a7fd02 8789e5e2 cea0b4dc
    b8e7a2b4 8112d35f e6e18da4 5ce6c147 0d7c
quit
telnet 192.168.56.0 255.255.255.0 log
telnet 0.0.0.0 0.0.0.0 log
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.56.0 255.255.255.0 log
ssh 192.168.65.0 255.255.255.0 log
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd address 10.2.0.50-10.2.0.100 Webservers
dhcpd enable Webservers
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.65.2
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint0_VPNlab
ssl trust-point ASDM_TrustPoint0_VPNlab log
webvpn
enable log
anyconnect image disk0:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy Engineering internal
group-policy Engineering attributes
wins-server none
dhcp-network-scope 10.2.0.0
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value InternalSubnets
default-domain none
address-pools none
dynamic-access-policy-record DfltAccessPolicy
username vpnuser password $sha512$5000$A+68p6VVTBtpVzJDHZBgEA==$lNEdl0JdvbbW6d+LiVuoXQ== pbkdf2 privilege 15
username vpnuser attributes
vpn-group-policy Engineering
service-type remote-access
username rich password $sha512$5000$bImmacCvYBFNFsraZMjEUA==$6x+eU2KvgJETFcZR3hvc4w== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global-policy
class inspection_default
inspect icmp
inspect ftp
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname state
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http

Re: Implicit Rule prevents FTP from ASA to adjacent server

Ajay Saini — Wed, 14 Mar 2018 08:58:51 GMT

Hello,

Please attach the commands you are trying to connect to ftp from ASA, you can refer to the link for transferring files to and from ASA:

https://supportforums.cisco.com/t5/security-documents/asa-upgrade-different-ways-to-load-files-to-flash/ta-p/3126869

just check the ftp mode supported on filezilla server as well. Currently on firewall, passive mode is supported. Also, packet-tracer will not help troubleshoot the issue since this is to-the-box traffic.

Can you please paste the command you are trying on ASA and the error message.

HTH
AJ

Re: Implicit Rule prevents FTP from ASA to adjacent server

richard-ziga — Mon, 19 Mar 2018 16:01:05 GMT

Thanks for your reply, I was more interested in how to interpret the packet-tracer output. But the command that fails is:

copy disk0: ftp:

I can ping the destination but no ftp packets leave the firewall - the config is above

thanks,

Rich

ps any ideas where to find documentation on packet-tracer output?

topic Re: Implicit Rule prevents FTP from ASA to adjacent server in Network Security

Implicit Rule prevents FTP from ASA to adjacent server

Re: Implicit Rule prevents FTP from ASA to adjacent server

Re: Implicit Rule prevents FTP from ASA to adjacent server