01-09-2014 04:01 PM - edited 03-11-2019 08:27 PM
I have an ASA 5525 with Software Version 9.0(2) that is not allowing passive ftp. Each time I try to do any transfer that involves the data channel -- such as getting a directory listing -- with passive on, the log has lines like these and the command just times out:
2014-01-09T15:44:11.124706-08:00 Jan 09 2014 15:43:37: %ASA-4-406002: FTP port command different address: 172.21.10.8(198.204.112.183) to 68.183.62.10 on interface dmz1
2014-01-09T15:44:11.125100-08:00 Jan 09 2014 15:43:37: %ASA-4-507003: tcp flow from outside:68.183.62.10/38349 to dmz1:172.21.10.8/21 terminated by inspection engine, reason - inspector drop reset.
I have an access_list on the outside interface that allows ftp:
access-list acl_out line 48 extended permit tcp object-group bftp-clients object-group bftp.lereta.com_1 object-group bftp-tcp-port
bftp-client is a list all the clients that are allowed to connect. It had about 300 or so entries.
bftp-tcp-port lists the port that the FTP server requires:
object-group service bftp-tcp-port tcp
port-object eq ftp
port-object eq ssh
port-object range 4000 4005
port-object eq 990
bftp.lereta.com_1 lists the server (There was supposed to be more than one but that changed)
I have "inspect ftp" in the global_policy map:
policy-map global_policy
class inspection_default
inspect ftp
The sniffer tells me that the server is responds to the PASV command with something like:
227 Entering Passive Mode (198,204,112,183,15,164)
However, the above does not get through the firewall and back to the client. I have checked on both side of the firewall.
Active FTP work fine.
Anyone have an idea what I am doing wrong?
01-10-2014 05:27 AM
Hi,
Could you send the output of "show service-policy".
- Prateek Verma
01-10-2014 07:08 AM
I hope this wraps OK...
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 1353449, lock fail 0, drop 19454, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 22442301, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 10, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 364561, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: http, packet 46295541, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ils, packet 335408, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 224298, lock fail 0, drop 223, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 32654, lock fail 0, drop 346, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Class-map: ftp-class
Inspect: ftp, packet 1607151, lock fail 0, drop 0, reset-drop 4, v6-fail-close 0
Interface outside:
Service-policy: outside-policy
Class-map: outside-class
IPS: card status Up, license status Enabled, mode inline fail-open
packet input 145198494, packet output 145198587, drop 0, reset-drop 0
Interface inside:
Service-policy: policy-conn-param-inside
Class-map: class-conn-param-tcp-01
Set connection policy: per-client-max 1000 per-client-embryonic-max 2000
current conns 0, drop 0
The class-map at the end of the global policy was added yesterday in an attempt to fix the problem:
class-map ftp-class
match access-list ftp-list
access-list ftp-list; 2 elements; name hash: 0x8e356a0d
access-list ftp-list line 1 extended permit tcp any any eq ftp (hitcnt=27153)
access-list ftp-list line 2 extended permit tcp any any range 4000 4005 (hitcnt=191)
01-13-2014 08:39 AM
Found the problem. The ftp server was sending the external NAT address not its own address in the passive response. The previous firewalls didn't care but the newer software apparently does. Once the server was changed to send its own IP (an rfc 1918 address) in the response, clients were able to use passive.
04-25-2018 06:20 AM
@Stephen Carville wrote:
Found the problem. The ftp server was sending the external NAT address not its own address in the passive response. The previous firewalls didn't care but the newer software apparently does. Once the server was changed to send its own IP (an rfc 1918 address) in the response, clients were able to use passive.
Thank you Stephen, What you described was exactly my problem too. I was moving to a an ASA5515 from an old Juniper and the FTP software had same issue. I removed the public IP from the Passive FTP settings in the software and all worked again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide