FTP Port ERROR Forwarding in Cisco ASA 8.2(5), Very Intersting.

cabelen2004 · ‎01-12-2013

Hi,

I have the following configuration on a Cisco ASA 8.2(5), all the traffic to the port 5000 go to an IP Camera and www 80 it's forward throught static NAT to a Web Server without problem, I have the same Configuration for a FTP SERVER Windows and FTP Server Linux and doesn't make the foward to an internal IP address. Attach is the configuration I would like to know what is causing the problems.

The FTP Server Are running locally without any problems, when I try to reach it for the Outside interface then i can't, this is in the only port i can't forward.

I really appreciate your help.

Thanks

ASA Version 8.2(5)

!

hostname ciscoasa

enable password dAWCvYvyr2FRISo5 encrypted

passwd dAWCvYvyr2FRISo5 encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.4.4

name-server 8.8.8.8

name-server 196.3.81.132

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service TEST2 tcp

port-object eq www

port-object eq https

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 extended permit icmp any interface outside echo-reply

access-list 101 extended permit udp any any eq 5000

access-list 101 extended permit udp any any eq ntp

access-list 101 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp

access-list 102 extended permit icmp any interface outside echo-reply

access-list 102 extended permit icmp any interface outside

access-list 102 extended permit ip any host 192.168.1.5

access-list 102 extended permit tcp any host 192.168.1.5 eq 5000

access-list 102 extended permit tcp any interface outside eq 5000

access-list 102 extended permit tcp any host 192.168.1.5 eq https

access-list 102 extended permit tcp any any eq 5000

access-list 102 extended permit ip any host 192.168.1.8

access-list 102 extended permit tcp any any eq telnet

access-list 102 extended permit tcp any interface outside object-group TEST2

access-list 102 extended permit ip any 192.168.1.0 255.255.255.0

access-list 102 extended permit tcp any interface outside eq www

access-list 102 extended permit tcp any interface outside eq ftp

access-list 102 extended permit tcp any interface outside eq ftp-data

access-list 102 extended permit tcp any any eq ftp

access-list 103 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 5000 192.168.1.5 5000 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.15 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.1.15 ftp-data netmask 255.255.255.255

access-group 102 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 225.255.255.0 inside

telnet timeout 30

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.10-192.168.1.41 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cabelen password tJPt4MkXkeex6ITZ encrypted

!

class-map ftp-class

match access-list 102

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3465bc9d04198e9df80787c0c039db27

: end

ciscoasa#

Kureli Sankar · ‎01-12-2013

This should work. What ftp is failing? passive? What do you see in the logs when it fails?

Control channel breaks or data channel breaks?

conf t

logging on

logging buffered 7

exit

sh logg | i x.x.x.x (where x.x.x.x is the IP address of the ftp client on the internet)

BTW, these ACLs can be removed. These are talking about real IP address in the 8.2.x code and that is incorrect.

access-list 102 extended permit ip any host 192.168.1.5

access-list 102 extended permit tcp any host 192.168.1.5 eq 5000

access-list 102 extended permit tcp any host 192.168.1.5 eq https

access-list 102 extended permit ip any host 192.168.1.5

access-list 102 extended permit ip any 192.168.1.0 255.255.255.0

access-list 103 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp

-Kureli

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today for this Cisco Support Community live webcast.

cabelen2004 · ‎01-12-2013

This is the results of the log it didn't not find the public ip address which im making FTP connection.

ciscoasa# sh logg | i 147.197.115.171

ciscoasa# sh logg

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level debugging, 88 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 68 messages logged

connection 125407 for outside:111.221.74.28/443 to inside:192.168.1.24/24483 duration 0:02:01 bytes

44

%ASA-7-609002: Teardown local-host outside:111.221.74.28 duration 0:02:01

%ASA-7-710005: UDP request discarded from 192.168.1.24/138 to inside:192.168.1.255/138

%ASA-6-302016: Teardown UDP connection 125402 for outside:177.0.186.239/57036 to inside:192.168.1.24

/24483 duration 0:02:02 bytes 220

%ASA-7-609002: Teardown local-host outside:177.0.186.239 duration 0:02:02

%ASA-6-302016: Teardown UDP connection 125408 for outside:89.240.135.18/47096 to inside:192.168.1.24

/24483 duration 0:02:01 bytes 44

%ASA-7-609002: Teardown local-host outside:89.240.135.18 duration 0:02:01

%ASA-6-302016: Teardown UDP connection 125409 for outside:111.221.77.145/40037 to inside:192.168.1.2

4/24483 duration 0:02:01 bytes 486

%ASA-7-609002: Teardown local-host outside:111.221.77.145 duration 0:02:01

%ASA-6-302016: Teardown UDP connection 125410 for outside:64.4.23.148/40014 to inside:192.168.1.24/2

4483 duration 0:02:01 bytes 178

%ASA-7-609002: Teardown local-host outside:64.4.23.148 duration 0:02:01

%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.24/24483 to outside:69.86.151.

109/54119 duration 0:03:00

%ide:216.146.39.70/80 to inside:192.168.1.5/3628 duration 0:00:00 bytes 303 TCP FINs

%ASA-7-609002: Teardown local-host outside:216.146.39.70 duration 0:00:00

nable_15' executed the 'configure terminal' command.

%ASA-6-302015: Built inbound UDP connection 125412 for inside:192.168.1.20/68 (192.168.1.20/68) to i

dentity:192.168.1.2/67 (192.168.1.2/67)

%ASA-6-604103: DHCP daemon interface inside: address granted 0128.987b.d28e.e7 (192.168.1.20)

%ASA-6-302016: Teardown UDP connection 125411 for inside:192.168.1.27/68 to identity:192.168.1.2/67

duration 0:02:01 bytes 623

%ASA-5-111008: User 'enable_15' executed the 'no access-list 102 extended permit ip any 192.168.1.0

255.255.255.0' command.

%ASA-6-302010: 20 in use, 234 most used

%ASA-5-111008: User 'enable_15' executed the 'no access-list 102 extended permit ip any host 192.168

.1.8' command.

%ASA-5-111005: 192.168.1.24 end configuration: OK

%ASA-6-302016: Teardown UDP connection 125412 for inside:192.168.1.20/68 to identity:192.168.1.2/67

duration 0:02:01 bytes 641

%ASA-7-609001: Built local-host outside:209.128.96.248

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.20/57764 to outside:69.86.151.109

/50424

%ASA-6-302013: Built outbound TCP connection 125413 for outside:209.128.96.248/80 (209.128.96.248/80

) to inside:192.168.1.20/57764 (69.86.151.109/50424)

%ASA-7-111009: User 'enable_15' executed cmd: show running-config

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-7-609001: Built local-host outside:174.35.22.69

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.24/51106 to outside:69.86.151.109

/53818

%ASA-6-302013: Built outbound TCP connection 125414 for outside:174.35.22.69/80 (174.35.22.69/80) to

inside:192.168.1.24/51106 (69.86.151.109/53818)

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.24/51107 to outside:69.86.151.109

/12433

%ASA-6-302013: Built outbound TCP connection 125415 for outside:174.35.22.69/80 (174.35.22.69/80) to

inside:192.168.1.24/51107 (69.86.151.109/12433)

%ASA-7-609001: Built local-host outside:8.8.8.8

%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.24/51214 to outside:69.86.151.109

/42103

%ASA-6-302015: Built outbound UDP connection 125416 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:19

2.168.1.24/51214 (69.86.151.109/42103)

%ASA-6-302016: Teardown UDP connection 125416 for outside:8.8.8.8/53 to inside:192.168.1.24/51214 du

ration 0:00:00 bytes 176

%ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:00:00

%ASA-6-302014: Teardown TCP connection 125414 for outside:174.35.22.69/80 to inside:192.168.1.24/511

06 duration 0:00:06 bytes 2075 TCP FINs

%ASA-6-302014: Teardown TCP connection 125415 for outside:174.35.22.69/80 to inside:192.168.1.24/511

07 duration 0:00:06 bytes 3016 TCP FINs

%ASA-7-609002: Teardown local-host outside:174.35.22.69 duration 0:00:06

ciscoasa#

Kureli Sankar · ‎01-13-2013

I don't see any /21 syslogs indicating any public address trying to connect to your ftp server. Pls. install filezilla client

http://filezilla-project.org/ and install it on a home computer and try to ftp to the outside interface IP address. Watch the logs for the ip address of your client at home (it's public ip address).

-Kureli

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today for this Cisco Support Community live webcast.

cabelen2004 · ‎01-13-2013

Thanks for your help the problem was result after removing the Access-list.

Regards.