cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


575
Views
0
Helpful
2
Replies
Enthusiast

ASA and double PAT

I have a network 192.168.1.0/24 sitting behind ASA 5505 running version 8.2(1) with this configuration:

interface inside 192.168.1.254/24

interface outside 192.168.2.1/24

nat (inside) 1 192.168.1.0 255.255.255.0

global(outside) 1 interface

fixup protocol ftp 21

The ASA 5505 has an outside IP address of 192.168.2.1/24.  The ASA 5505 is sitting behind a ASA5510 running

version 8.2(1).  The ASA 5510 has the follow configuration:

interface inside 192.168.2.254/24

interface outside 1.1.1.1/30

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

fixup protocol ftp 21

I have a linux hostA 192.168.1.10/24 and linux hostB 192.168.2.10/24 and linux hostC 4.2.2.2 on the Internet.

HostB can connect to hostC with FTP and can download/upload file in both Active/Passive mode without any issues.

HostA can connect to hostC but afer the three-way TCP handshake, I immediately see a RST connection from the

client hostA.  The weird thing is that it only impacts FTP and nothing else.  http, https and ssh from hostA to

hostC work without any issues.

To remove any doubts that hostA is the issue, I moved hostA to network 192.168.2.0/24 and give

it an ip address of .20.  With that, hostA can connect to hostC without any issues via FTP in both Active/Passive

mode.

Now when I moved hostA back to 192.168.1.0/24 network, I put in the following configuration on the ASA5005:

no fixup protocol ftp 21

access-list outside permit ip any any log

access-group outside interface outside in

Basically, after I did that (basically turning the ASA into a router, sort of), hostA can connect to hostC via FTP

without any issues. Go figure.

My quesiton is this:  Is this a limitation of Cisco ASA PAT for FTP when you have a client sitting behind two ASA

firewalls doing PAT?  In other words, when you have a client sitting behind two Cisco ASA firewalls and they both

do PAT for that client,  will that break FTP connection with "ftp inspect" enable on both of them?  From my test,

it looks that way, but I am not sure.  I don't work with Cisco ASA on a daily basis so I would appreciate help from

those who do.

Thanks,

Everyone's tags (3)
2 REPLIES 2
Highlighted
Contributor

ASA and double PAT

Interesting, as I can't figure out any theoretical objections against the cascaded fixup with either active or passive FTP.  I'd like to see packet captures on hostA andan hostC with either FTP mode. Is no port information sent on FTP control channel?

I hope hostC is not behind a NAT'ing firewall.

Enthusiast

ASA and double PAT

hostC is behind a Checkpoint firewall but it is NOT being NAT'ed, just routed through.

Interestingly, if I replace the ASA5505 with a Checkpoint NGx R71.45 firewall, hostA can connect to hostC via FTP without any issues across the ASA 5510 firewalls.  It is confirmed that having cascade fix-up (i.e. MPF) on both ASA cause this issue. 

I guess when I have time, I will look into this further and open a tac case.