cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9043
Views
0
Helpful
10
Replies

Configure ASA 5515 to allow FTP server behind it.

zhentian1979
Level 1
Level 1

                   We have one Cisco ASA5515 firewall, I configured ftp mode to passive, inspect ftp in service, use anoother public to do NAT with ftp server, and also configued ACL in outside interface, but I failed to access the ftp server from internet use that public ip address, no problem to acces the ftp server use its inside address in LAN.

Anyone can help on this is appreciated!

1 Accepted Solution

Accepted Solutions

Hi,

Only thing I can see is that you are not issuing the command under the "object network FTP"

Use the complete configuration

object network FTP

host

nat (LAN,Outside) static interface service 21 21

You will first have to go under the "object network FTP" and then configure the "host " if you havent already and then insert the "nat (LAN,Outside) static interface service tcp 21 21"

- Jouni

View solution in original post

10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Without seeing the configurations we can't say much about the problem.

Usually configuring NAT, ACL and Inspect FTP is enough to get FTP connections working. If you are talking about the FTP Passive setting on the ASA then that does not have anything to do with the FTP connections through the ASA. That setting affects FTP connections of ASA itself.

Can you please share configurations.

You can also check what the ASA would do to the FTP connections with "packet-tracer" command

packet-tracer input outside tcp 1.2.3.4 12345 21

Where

  • outside = Is the name of the Internet facing interface of the ASA
  • 1.2.3.4 = Is a random public IP address for test purposes
  • 12345 = Is a random source port for the test
  • NAT IP = Is the public IP address you use for the FTP server

Take the output of this command and we can see what would happen to a FTP connection towards your server.

- Jouni

Thanks!

I did packet tracer in asdm, all is green.

here is configuration file:

ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password qZTcCWWJxxdsdsxcxcxxr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd qZTcxxcxcxcxxdcxJglvMyNxr encrypted
names
ip local pool VPNAddressPool 10.115.135.100-10.115.135.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
description Outside Internet
nameif Outside
security-level 0
ip address xxx.xx.xxx.xxx 255.255.255.248
!
interface GigabitEthernet0/1
shutdown    
no nameif   
no security-level
no ip address
!            
interface GigabitEthernet0/2
description MPLS Circuit
shutdown    
no nameif
no security-level
no ip address
!            
interface GigabitEthernet0/3
shutdown    
no nameif   
no security-level
no ip address
!            
interface GigabitEthernet0/4
description Inside LAN
nameif LAN  
security-level 100
ip address 172.28.144.11 255.255.255.0
!            
interface GigabitEthernet0/5
shutdown    
no nameif   
no security-level
no ip address
!            
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!            
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Outside
dns server-group DefaultDNS
name-server xxx.xxx.xx.xxx
name-server xxx.xxx.xx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPNNetwork
subnet 10.115.135.0 255.255.255.0
object network 172.28.144.11
host 172.28.144.11
object network NETWORK_OBJ_10.115.135.0_24
subnet 10.115.135.0 255.255.255.0
object network NETWORK_OBJ_172.28.144.0_24
subnet 172.28.144.0 255.255.255.0
object network NETWORK_OBJ_10.100.1.0_30
subnet 10.100.1.0 255.255.255.252
object network NETWORK_OBJ_172.28.76.0_24
subnet 172.28.76.0 255.255.255.0
object network FTP_Outside
host xxx.xx.xxx.xxx
object network FTP_Inside
host 172.28.144.6
object network NAT_FTP
host xxx.xx.xxx.xxx
description FTP
object network FTP-Data
host xxx.xx.xxx.xxx
description FTP-Data
access-list NMA_VPNSplitTunnelAcl extended permit ip object VPNNetwork 172.28.144.0 255.255.255.0
access-list NMA_VPNSplitTunnelAcl extended permit ip 172.28.144.0 255.255.255.0 object VPNNetwork
access-list Outside_access_in extended permit tcp any any eq ssh
access-list Outside_access_in extended permit ip any object NETWORK_OBJ_172.28.144.0_24
access-list NMA_splitTunnelAcl standard permit 172.28.144.0 255.255.255.0
access-list LAN_access_in extended permit ip any any
access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp
access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu LAN 1500 
mtu MPLS 1500
mtu Outside 1500 
no failover  
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Outside,LAN) source static VPNNetwork VPNNetwork destination static NETWORK_OBJ_172.28.144.0_24

NETWORK_OBJ_172.28.144.0_24 no-proxy-arp route-lookup
nat (LAN,Outside) source dynamic any interface
!            
object network NAT_FTP
nat (Outside,LAN) static FTP_Inside service tcp ftp ftp
object network FTP-Data
nat (Outside,LAN) static FTP_Inside service tcp ftp-data ftp-data
access-group LAN_access_in in interface LAN
access-group acl_out in interface Outside
route Outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.28.144.0 255.255.255.0 LAN
http 172.28.144.6 255.255.255.255 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA

crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha    
group 2     
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha    
group 2     
lifetime 86400
telnet 0.0.0.0 0.0.0.0 LAN
telnet 172.28.144.0 255.255.255.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!            
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
group-policy NMA internal
group-policy NMA attributes
dns-server value 172.28.144.2 172.28.76.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NMA_VPNSplitTunnelAcl
default-domain value test1.test2.com

vpn-group-policy NMA
service-type remote-access

tunnel-group NMA type remote-access
tunnel-group NMA general-attributes
address-pool VPNAddressPool
authorization-server-group LOCAL
default-group-policy NMA
tunnel-group NMA ipsec-attributes
ikev1 pre-shared-key xxxxcxxxx
!            
class-map inspection_default
match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
parameters  
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map global_poliy
class inspection_default
  inspect icmp
!            
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:e603c4e7da420d445507ceb5bac213f9
: end

Hi,

Do the following changes

Remove the current NAT configurations

no nat (LAN,Outside) source dynamic any interface         

no object network NAT_FTP

no object network FTP-Data

Configure the new NAT

object-group network DEFAULT-PAT-SOURCE

network-object 172.28.144.0 255.255.255.0

nat (LAN,Outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

object network FTP

host

nat (LAN,Outside) static interface service 21 21

access-list acl_out extended permit tcp any object FTP eq ftp

Remove the OLD ACL rules

no access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp

no access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp-data

The reason why I ask you to do this is that,

The original NAT configurations for the FTP are done in the wrong way. You have the interface names the wrong way. They should be (LAN,Outside) not (Outside,LAN)

Even if you corrected this, the other NAT rule would still override the FTP NAT rules so that would have to changed too.

So better to remove the current NAT configuration and redo them in the above mentioned way. After that the ASA configurations should be fine and the connection should work.

- Jouni

seems this command has problem:

nat (LAN,Outside) static interface service 21 21

Ah sorry, my mistake

It should be

nat (LAN,Outside) static interface service tcp 21 21

Was missing the "tcp", otherwise the configurations should be correct

- Jouni

Sorry, this command still has problem:

ciscoasa(config)# nat (LAN,Outside) static interface service tcp 21 21

                                                      ^

ERROR: % Invalid input detected at '^' marker.

Hi,

Only thing I can see is that you are not issuing the command under the "object network FTP"

Use the complete configuration

object network FTP

host

nat (LAN,Outside) static interface service 21 21

You will first have to go under the "object network FTP" and then configure the "host " if you havent already and then insert the "nat (LAN,Outside) static interface service tcp 21 21"

- Jouni

It works, thank you very much, Jouni!

No problem

Good that we got it working.

- Jouni

Hi Guys,

active FTP will work.

passive FTP does not work with 9.1.1. i was able to do passive ftp via asa with 9.1.1 only after i have removed ftp inspection.

asa was droping ftp packet from internal server when this one was sending responce to ftp passive request from Client,

very starbge. i will look for a bug here

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: