05-06-2013 12:47 AM - edited 03-11-2019 06:39 PM
We have one Cisco ASA5515 firewall, I configured ftp mode to passive, inspect ftp in service, use anoother public to do NAT with ftp server, and also configued ACL in outside interface, but I failed to access the ftp server from internet use that public ip address, no problem to acces the ftp server use its inside address in LAN.
Anyone can help on this is appreciated!
Solved! Go to Solution.
05-06-2013 03:36 AM
Hi,
Only thing I can see is that you are not issuing the command under the "object network FTP"
Use the complete configuration
object network FTP
host
nat (LAN,Outside) static interface service 21 21
You will first have to go under the "object network FTP" and then configure the "host
- Jouni
05-06-2013 01:13 AM
Hi,
Without seeing the configurations we can't say much about the problem.
Usually configuring NAT, ACL and Inspect FTP is enough to get FTP connections working. If you are talking about the FTP Passive setting on the ASA then that does not have anything to do with the FTP connections through the ASA. That setting affects FTP connections of ASA itself.
Can you please share configurations.
You can also check what the ASA would do to the FTP connections with "packet-tracer" command
packet-tracer input outside tcp 1.2.3.4 12345
Where
Take the output of this command and we can see what would happen to a FTP connection towards your server.
- Jouni
05-06-2013 02:59 AM
Thanks!
I did packet tracer in asdm, all is green.
here is configuration file:
ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password qZTcCWWJxxdsdsxcxcxxr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd qZTcxxcxcxcxxdcxJglvMyNxr encrypted
names
ip local pool VPNAddressPool 10.115.135.100-10.115.135.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
description Outside Internet
nameif Outside
security-level 0
ip address xxx.xx.xxx.xxx 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description MPLS Circuit
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
description Inside LAN
nameif LAN
security-level 100
ip address 172.28.144.11 255.255.255.0
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Outside
dns server-group DefaultDNS
name-server xxx.xxx.xx.xxx
name-server xxx.xxx.xx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPNNetwork
subnet 10.115.135.0 255.255.255.0
object network 172.28.144.11
host 172.28.144.11
object network NETWORK_OBJ_10.115.135.0_24
subnet 10.115.135.0 255.255.255.0
object network NETWORK_OBJ_172.28.144.0_24
subnet 172.28.144.0 255.255.255.0
object network NETWORK_OBJ_10.100.1.0_30
subnet 10.100.1.0 255.255.255.252
object network NETWORK_OBJ_172.28.76.0_24
subnet 172.28.76.0 255.255.255.0
object network FTP_Outside
host xxx.xx.xxx.xxx
object network FTP_Inside
host 172.28.144.6
object network NAT_FTP
host xxx.xx.xxx.xxx
description FTP
object network FTP-Data
host xxx.xx.xxx.xxx
description FTP-Data
access-list NMA_VPNSplitTunnelAcl extended permit ip object VPNNetwork 172.28.144.0 255.255.255.0
access-list NMA_VPNSplitTunnelAcl extended permit ip 172.28.144.0 255.255.255.0 object VPNNetwork
access-list Outside_access_in extended permit tcp any any eq ssh
access-list Outside_access_in extended permit ip any object NETWORK_OBJ_172.28.144.0_24
access-list NMA_splitTunnelAcl standard permit 172.28.144.0 255.255.255.0
access-list LAN_access_in extended permit ip any any
access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp
access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu LAN 1500
mtu MPLS 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Outside,LAN) source static VPNNetwork VPNNetwork destination static NETWORK_OBJ_172.28.144.0_24
NETWORK_OBJ_172.28.144.0_24 no-proxy-arp route-lookup
nat (LAN,Outside) source dynamic any interface
!
object network NAT_FTP
nat (Outside,LAN) static FTP_Inside service tcp ftp ftp
object network FTP-Data
nat (Outside,LAN) static FTP_Inside service tcp ftp-data ftp-data
access-group LAN_access_in in interface LAN
access-group acl_out in interface Outside
route Outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.28.144.0 255.255.255.0 LAN
http 172.28.144.6 255.255.255.255 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 LAN
telnet 172.28.144.0 255.255.255.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
group-policy NMA internal
group-policy NMA attributes
dns-server value 172.28.144.2 172.28.76.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NMA_VPNSplitTunnelAcl
default-domain value test1.test2.com
vpn-group-policy NMA
service-type remote-access
tunnel-group NMA type remote-access
tunnel-group NMA general-attributes
address-pool VPNAddressPool
authorization-server-group LOCAL
default-group-policy NMA
tunnel-group NMA ipsec-attributes
ikev1 pre-shared-key xxxxcxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global_poliy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:e603c4e7da420d445507ceb5bac213f9
: end
05-06-2013 03:08 AM
Hi,
Do the following changes
Remove the current NAT configurations
no nat (LAN,Outside) source dynamic any interface
no object network NAT_FTP
no object network FTP-Data
Configure the new NAT
object-group network DEFAULT-PAT-SOURCE
network-object 172.28.144.0 255.255.255.0
nat (LAN,Outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
object network FTP
host
nat (LAN,Outside) static interface service 21 21
access-list acl_out extended permit tcp any object FTP eq ftp
Remove the OLD ACL rules
no access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp
no access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp-data
The reason why I ask you to do this is that,
The original NAT configurations for the FTP are done in the wrong way. You have the interface names the wrong way. They should be (LAN,Outside) not (Outside,LAN)
Even if you corrected this, the other NAT rule would still override the FTP NAT rules so that would have to changed too.
So better to remove the current NAT configuration and redo them in the above mentioned way. After that the ASA configurations should be fine and the connection should work.
- Jouni
05-06-2013 03:19 AM
seems this command has problem:
nat (LAN,Outside) static interface service 21 21
05-06-2013 03:21 AM
Ah sorry, my mistake
It should be
nat (LAN,Outside) static interface service tcp 21 21
Was missing the "tcp", otherwise the configurations should be correct
- Jouni
05-06-2013 03:32 AM
Sorry, this command still has problem:
ciscoasa(config)# nat (LAN,Outside) static interface service tcp 21 21
^
ERROR: % Invalid input detected at '^' marker.
05-06-2013 03:36 AM
Hi,
Only thing I can see is that you are not issuing the command under the "object network FTP"
Use the complete configuration
object network FTP
host
nat (LAN,Outside) static interface service 21 21
You will first have to go under the "object network FTP" and then configure the "host
- Jouni
05-06-2013 03:49 AM
It works, thank you very much, Jouni!
05-06-2013 03:50 AM
No problem
Good that we got it working.
- Jouni
09-20-2013 06:12 AM
Hi Guys,
active FTP will work.
passive FTP does not work with 9.1.1. i was able to do passive ftp via asa with 9.1.1 only after i have removed ftp inspection.
asa was droping ftp packet from internal server when this one was sending responce to ftp passive request from Client,
very starbge. i will look for a bug here
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: