ASA 5525 does not allow passive FTP - Cisco Community

4279

Views

25

Helpful

4

Replies

I have an ASA 5525 with Software Version 9.0(2) that is not allowing passive ftp. Each time I try to do any transfer that involves the data channel -- such as getting a directory listing -- with passive on, the log has lines like these and the command just times out:

2014-01-09T15:44:11.124706-08:00 Jan 09 2014 15:43:37: %ASA-4-406002: FTP port command different address: 172.21.10.8(198.204.112.183) to 68.183.62.10 on interface dmz1

2014-01-09T15:44:11.125100-08:00 Jan 09 2014 15:43:37: %ASA-4-507003: tcp flow from outside:68.183.62.10/38349 to dmz1:172.21.10.8/21 terminated by inspection engine, reason - inspector drop reset.

I have an access_list on the outside interface that allows ftp:

access-list acl_out line 48 extended permit tcp object-group bftp-clients object-group bftp.lereta.com_1 object-group bftp-tcp-port

bftp-client is a list all the clients that are allowed to connect. It had about 300 or so entries.

bftp-tcp-port lists the port that the FTP server requires:

object-group service bftp-tcp-port tcp

port-object eq ftp

port-object eq ssh

port-object range 4000 4005

port-object eq 990

bftp.lereta.com_1 lists the server (There was supposed to be more than one but that changed)

I have "inspect ftp" in the global_policy map:

policy-map global_policy

class inspection_default

inspect ftp

The sniffer tells me that the server is responds to the PASV command with something like:

227 Entering Passive Mode (198,204,112,183,15,164)

However, the above does not get through the firewall and back to the client. I have checked on both side of the firewall.

Active FTP work fine.

Anyone have an idea what I am doing wrong?

4 Replies 4

Hi,

Could you send the output of "show service-policy".

- Prateek Verma

I hope this wraps OK...

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 1353449, lock fail 0, drop 19454, reset-drop 0, v6-fail-close 0

Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sqlnet, packet 22442301, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sunrpc, packet 10, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: netbios, packet 364561, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: http, packet 46295541, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: ils, packet 335408, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: icmp, packet 224298, lock fail 0, drop 223, reset-drop 0, v6-fail-close 0

Inspect: icmp error, packet 32654, lock fail 0, drop 346, reset-drop 0, v6-fail-close 0

Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Class-map: ftp-class

Inspect: ftp, packet 1607151, lock fail 0, drop 0, reset-drop 4, v6-fail-close 0

Interface outside:

Service-policy: outside-policy

Class-map: outside-class

IPS: card status Up, license status Enabled, mode inline fail-open

packet input 145198494, packet output 145198587, drop 0, reset-drop 0

Interface inside:

Service-policy: policy-conn-param-inside

Class-map: class-conn-param-tcp-01

Set connection policy: per-client-max 1000 per-client-embryonic-max 2000

current conns 0, drop 0

The class-map at the end of the global policy was added yesterday in an attempt to fix the problem:

class-map ftp-class

match access-list ftp-list

access-list ftp-list; 2 elements; name hash: 0x8e356a0d

access-list ftp-list line 1 extended permit tcp any any eq ftp (hitcnt=27153)

access-list ftp-list line 2 extended permit tcp any any range 4000 4005 (hitcnt=191)

Found the problem. The ftp server was sending the external NAT address not its own address in the passive response. The previous firewalls didn't care but the newer software apparently does. Once the server was changed to send its own IP (an rfc 1918 address) in the response, clients were able to use passive.

@Stephen Carville wrote:

Found the problem. The ftp server was sending the external NAT address not its own address in the passive response. The previous firewalls didn't care but the newer software apparently does. Once the server was changed to send its own IP (an rfc 1918 address) in the response, clients were able to use passive.

Thank you Stephen, What you described was exactly my problem too. I was moving to a an ASA5515 from an old Juniper and the FTP software had same issue. I removed the public IP from the Passive FTP settings in the software and all worked again.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card