Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3212
Views
15
Helpful
7
Replies

Cisco ASA 5512-x FTP : 425 no data connection

madismannik
Level 1
Level 1

‎03-03-2014 05:05 AM - edited ‎03-11-2019 08:52 PM

Hello,

I am looking for help regarding to FTP connection to external FTP server. Client computer is located behind Cisco Firewall and FTP resides in ISP server. So the problem is connecting from our internal network to external networks FTP server.I can open FTP connection to server but whenever I try to transfer data, I get 425 error. Probably another stupid mistake, but I cannot identify the problem correctly. I am using Service-policy which is inspecting FTP protocol. My guess is that this is related to NAT. I have debugged and looked at TCP translation and this one is made from my(client) computer to external FTP server.

Attached configuration file.

X.X.X.X reffers to our public IP.

TCP translations regarding FTP connection :

%ASA-6-302303: Built TCP state-bypass connection 50120 from Outside:194.126.124.166/21 (194.126.124.166/21) to Inside:192.168.0.94/14327 (X.X.X.X /14327)

 

Labels:
15376943-FTP-Configuration.txt.zip
0 Helpful
7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

‎03-03-2014 07:58 AM

Hi!

Well your problem is right there. Since there is a TCP state bypass connection being build for this, that means that the inspection is not going to work (if active ftp is being used)

Is there an specific reason why u have this turned on? Have u try a PSV ftp connection?

Mike


Sent from Cisco Technical Support Android App

Mike

INGENIERIA Y CONSULTORIAS WEBREDES LTDA
Level 1
Level 1
In response to Maykol Rojas

‎03-03-2014 09:40 AM

try this command.

no fixup protocol ftp 21

this is an ancient pix command that still works on my ASA 5520, this command uninspect the ftp traffic and would enable the DATA passing thru the ASA, remember that FTP is the only protocol that does not use OSI model to transfer (due the lack of knowledge of the Programing skills on the coder of FTP Protocol).

then you had 2 TCP ports (TCP-20 - for data, TCP-21 for control) and you might be using 2 of the formats of comunicating with the server (ACTIVE or PASSIVE).

if you'll using Passive (PASV command), then requires to create an dynamic port to receive the traffic comming from outside, and if you had enabled the inspect for protocol, you could find some troubles to get this done.

so try this and tell us how is going on.

best regards, had a great day, and please rate if you'll find this post useful

had a great day . best regards, and rate if you'll find this post useful
0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to INGENIERIA Y CONSULTORIAS WEBREDES LTDA

‎03-03-2014 11:06 AM

You do not EVER remove the FTP inspection if you are going through NAT and an ASA firewall.

Depending on the scenario (In this case the client inside the firewall) Active FTP will never EVER work. You will need to have a static translation for every client and allowing traffic statically to those clients on the inside network.

You ask to disable the FTP inspection? If you take a look at the log, a TCP state bypass session is created. It means that all inspections are being bypassed at this point inclunding the FTP one.

Check why the Bypass is configured and exclude the FTP traffic so the FTP inspection engine can work, I assure you that is the problem.

Mike

Mike

madismannik
Level 1
Level 1
In response to Maykol Rojas

‎03-04-2014 02:47 AM

Unfortunately we have to use tcp bypass because of our different outlets which are connected using VPN by our ISP.


Anyways, I tried making NAT rules

nat (Outside,Inside) source static la02.neti.ee interface destination static MyCompany MyCompany service FTPActive2 FTPActive2

nat (Outside,Inside) source static la02.neti.ee interface destination static MyCompany MyCompany service FTPActive FTPActive

FTPActive - Sport 20 - Dport any

FTPActive - Sport 21 - Dport any

First I used Windows explorer to connect FTP serve. I can connect and transfer files but problem is related to Windows command line utility which cannot establish data connection. I can connect, login to FTP but unable to transfer file, list directory etc..

No fixup protocol did not give any effect at all.

Thank you for help so far.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to madismannik

‎03-04-2014 09:52 AM

Hi;

Well you need to take out the FTP traffic from your bypass list. Do the following

access-list Internal line 1 deny tcp host 192.168.0.94 host 194.126.124.166

Make sure that the inspection is there and try the connection again from 192.168.0.94.

If it works you may need to do this for the rest of the subnets when going only to that destination.

To be honest given the fact that you have everything with TCP state bypass, I would have use a Router rather than the ASA, because you are killing its best features by putting the bypass.

Mike

Mike

madismannik
Level 1
Level 1
In response to Maykol Rojas

‎03-14-2014 03:42 AM

Hi,

 

This did not make any difference as far as I can see. Any more things to try?

Thanks!

0 Helpful

chetansharma2
Level 1
Level 1

‎03-03-2014 08:18 PM

Hi,

i think if u are using Active FTP: then you need to open the port 20 access from Outside to inside network....

FTP inspection is required in case of Passive FTP , for opening of dynamically ports automatically

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card