Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
2
Replies

ASA and double PAT

david.tran
Level 4
Level 4

‎11-25-2012 12:55 PM - edited ‎03-11-2019 05:27 PM

I have a network 192.168.1.0/24 sitting behind ASA 5505 running version 8.2(1) with this configuration:

interface inside 192.168.1.254/24

interface outside 192.168.2.1/24

nat (inside) 1 192.168.1.0 255.255.255.0

global(outside) 1 interface

fixup protocol ftp 21

The ASA 5505 has an outside IP address of 192.168.2.1/24.  The ASA 5505 is sitting behind a ASA5510 running

version 8.2(1).  The ASA 5510 has the follow configuration:

interface inside 192.168.2.254/24

interface outside 1.1.1.1/30

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

fixup protocol ftp 21

I have a linux hostA 192.168.1.10/24 and linux hostB 192.168.2.10/24 and linux hostC 4.2.2.2 on the Internet.

HostB can connect to hostC with FTP and can download/upload file in both Active/Passive mode without any issues.

HostA can connect to hostC but afer the three-way TCP handshake, I immediately see a RST connection from the

client hostA.  The weird thing is that it only impacts FTP and nothing else.  http, https and ssh from hostA to

hostC work without any issues.

To remove any doubts that hostA is the issue, I moved hostA to network 192.168.2.0/24 and give

it an ip address of .20.  With that, hostA can connect to hostC without any issues via FTP in both Active/Passive

mode.

Now when I moved hostA back to 192.168.1.0/24 network, I put in the following configuration on the ASA5005:

no fixup protocol ftp 21

access-list outside permit ip any any log

access-group outside interface outside in

Basically, after I did that (basically turning the ASA into a router, sort of), hostA can connect to hostC via FTP

without any issues. Go figure.

My quesiton is this:  Is this a limitation of Cisco ASA PAT for FTP when you have a client sitting behind two ASA

firewalls doing PAT?  In other words, when you have a client sitting behind two Cisco ASA firewalls and they both

do PAT for that client,  will that break FTP connection with "ftp inspect" enable on both of them?  From my test,

it looks that way, but I am not sure.  I don't work with Cisco ASA on a daily basis so I would appreciate help from

those who do.

Thanks,

Labels:
0 Helpful
2 Replies 2

Peter Koltl
Level 7
Level 7

‎11-25-2012 01:56 PM

Interesting, as I can't figure out any theoretical objections against the cascaded fixup with either active or passive FTP.  I'd like to see packet captures on hostA andan hostC with either FTP mode. Is no port information sent on FTP control channel?

I hope hostC is not behind a NAT'ing firewall.

0 Helpful

david.tran
Level 4
Level 4
In response to Peter Koltl

‎11-25-2012 02:48 PM

hostC is behind a Checkpoint firewall but it is NOT being NAT'ed, just routed through.

Interestingly, if I replace the ASA5505 with a Checkpoint NGx R71.45 firewall, hostA can connect to hostC via FTP without any issues across the ASA 5510 firewalls.  It is confirmed that having cascade fix-up (i.e. MPF) on both ASA cause this issue. 

I guess when I have time, I will look into this further and open a tac case.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card