12-06-2012 11:30 AM - edited 03-11-2019 05:33 PM
Hi,
I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work.
Error message from the Syslog
deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in"
I try a couple of ways to fix it but no luck.
l would appreciate some help.
A partial config of my ASA 5505
access-list outside1_cryptomap extended permit ip object LAN object HeadOffice-VLAN3
access-list inside_access_in extended permit ip interface inside interface outside1
access-list inside_access_in extended permit icmp any any
access-list outside1_access_in extended permit ip any interface outside1
access-list outside1_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 interface outside1 eq https
access-list outside1_access_in extended permit tcp any host 192.168.50.5 eq www
access-list outside1_access_in extended permit tcp any host 192.168.50.5 eq https
access-list outside1_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.50.5 object-group RDP
access-list outside1_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.50.5 eq ftp
access-list dmz_access_in extended permit tcp any object Server2 eq www
access-list dmz_access_in extended permit tcp any host 192.168.50.5 eq www
access-list outside_access extended permit object http any object Server2
access-list extended extended permit tcp any host 192.168.50.5 eq ftp
access-list extended extended permit tcp any host 192.168.50.5 eq ftp-data
access-group inside_access_in in interface inside
access-group outside_access in interface outside
access-group outside1_access_in in interface outside1 per-user-override
access-group dmz_access_in in interface dmz per-user-override
object network Server2
nat (dmz,outside1) static interface service tcp www www
object network Server3
nat (dmz,outside1) static interface service tcp https https
object network RDP2
nat (dmz,outside1) static interface service tcp 3389 3389
object network ftp
nat (dmz,outside1) static interface service tcp ftp ftp
ftp mode passive
12-06-2012 11:40 AM
Hi,
According to the log message the connection is blocked by the access-list "dmz_access_in"
According to the configuration the mentioned ACL is attached to the direction "in" on the interface "dmz"
Looking at the actual list it seems to me that you have not made a rule that allows the host behind "dmz" interface to initiate a FTP Control connection (TCP/21).
Shouldnt this just be corrected with issuing the command
access-list dmz_access_in permit tcp host
- Jouni
12-06-2012 12:01 PM
Hi Jouni,
That help with moving the traffic out. The problem now is the FTP Server is giving this error
000012) 12/6/2012 14:52:18 PM - (not logged in) (192.168.50.5)> Connected, sending welcome message...
(000012) 12/6/2012 14:52:18 PM - (not logged in) (192.168.50.5)> could not send reply, disconnected.
Stange thing is the Server is login the local IP of the test machine at the remote office should that be the External IP of the ASA firewall...
Thanks
12-06-2012 12:10 PM
Hi,
Just seems to me that the host 192.168.50.5 is initiating a connection from behind interface "dmz" and its getting blocked by the "dmz" interfaces access-list.
It would seem to me that the connection the mentioned host is trying to form and that is getting blocked is the actual Control connection of the FTP. So I'm not sure what situation the FTP servers log messages refer to when the firewall log says it has even blocked the initial connection.
Is some L2L VPN between the sites involved here?
Naturally the a more complete firewall configuration and specific source and destination IP address information for the attempted connection would make it easier to check what the problem might be. For example I don't know how you have configured NAT for the log messages source host 192.168.50.5.
- Jouni
12-06-2012 12:33 PM
Hi,
There is a site to site VPN tunnel between the Network that let's the traffic from VLAN 192.168.3.x from Head office to remote office.
NAT info
object network ftp
nat (dmz,outside1) static interface service tcp ftp ftp
Should I be adding ftp-data to this NAT?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide