I have a network 192.168.1.0/24 sitting behind ASA 5505 running version 8.2(1) with this configuration:
interface inside 192.168.1.254/24
interface outside 192.168.2.1/24
nat (inside) 1 192.168.1.0 255.255.255.0
global(outside) 1 interface
fixup protocol ftp 21
The ASA 5505 has an outside IP address of 192.168.2.1/24. The ASA 5505 is sitting behind a ASA5510 running
version 8.2(1). The ASA 5510 has the follow configuration:
interface inside 192.168.2.254/24
interface outside 22.214.171.124/30
nat (inside) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface
fixup protocol ftp 21
I have a linux hostA 192.168.1.10/24 and linux hostB 192.168.2.10/24 and linux hostC 126.96.36.199 on the Internet.
HostB can connect to hostC with FTP and can download/upload file in both Active/Passive mode without any issues.
HostA can connect to hostC but afer the three-way TCP handshake, I immediately see a RST connection from the
client hostA. The weird thing is that it only impacts FTP and nothing else. http, https and ssh from hostA to
hostC work without any issues.
To remove any doubts that hostA is the issue, I moved hostA to network 192.168.2.0/24 and give
it an ip address of .20. With that, hostA can connect to hostC without any issues via FTP in both Active/Passive
Now when I moved hostA back to 192.168.1.0/24 network, I put in the following configuration on the ASA5005:
no fixup protocol ftp 21
access-list outside permit ip any any log
access-group outside interface outside in
Basically, after I did that (basically turning the ASA into a router, sort of), hostA can connect to hostC via FTP
without any issues. Go figure.
My quesiton is this: Is this a limitation of Cisco ASA PAT for FTP when you have a client sitting behind two ASA
firewalls doing PAT? In other words, when you have a client sitting behind two Cisco ASA firewalls and they both
do PAT for that client, will that break FTP connection with "ftp inspect" enable on both of them? From my test,
it looks that way, but I am not sure. I don't work with Cisco ASA on a daily basis so I would appreciate help from
those who do.
Interesting, as I can't figure out any theoretical objections against the cascaded fixup with either active or passive FTP. I'd like to see packet captures on hostA andan hostC with either FTP mode. Is no port information sent on FTP control channel?
I hope hostC is not behind a NAT'ing firewall.
hostC is behind a Checkpoint firewall but it is NOT being NAT'ed, just routed through.
Interestingly, if I replace the ASA5505 with a Checkpoint NGx R71.45 firewall, hostA can connect to hostC via FTP without any issues across the ASA 5510 firewalls. It is confirmed that having cascade fix-up (i.e. MPF) on both ASA cause this issue.
I guess when I have time, I will look into this further and open a tac case.