How to allow ftp traffic pass through ASA firewall?

zhentian1979 · ‎01-08-2013

Our structure is internet---Router----ASA-----TMG----FTP server, I try to publish ftp service to public, I did nat in router and created access-list in both router and ASA to allow ftp traffic pass through, and I configured inspect ftp in ASA, but I can't see traffic reach TMG, any one can help is appreciated!

Router configuration for ftp:

ip nat inside source static tcp 192.168.xxx.xx 20 xxx.xxx.xxx.xxx 20 extendable

ip nat inside source static tcp 192.168.xxx.xx 21 xxx.xxx.xxx.xxx 21 extendable

ASA configuration for ftp:

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list 102 extended permit tcp any host 192.168.xxx.xx object-group DM_INLINE_TCP_1

policy-map global_policy

class inspection_default

inspect ftp

Rgs!

Zhentian

Andrew Phirsov · ‎01-08-2013

Probably the problem is that in ftp passive mode it's random port used for data channel, not tcp port 20. I think the range is 30000-35000/tcp. So you should modify your nat and access rules on router accrodingly.

Jouni Forss · ‎01-08-2013

Hi,

The command "ftp mode passive" only relates to how the ASA operates when you use FTP to transfer files with ASA. It doesnt affect the FTP connections going through it.

Since you say you dont see anything of the FTP Connection on the TMG I would suggest going through the Router and ASA configurations through once more and check ASA logs while someone is attempting FTP connections.

- Jouni

zhentian1979 · ‎01-08-2013

I can see the counter increased when I try ftp fron outside:

ASA# sh service-policy inspect ftp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 3385, lock fail 0, drop 0, reset-drop 0

any other command can be used to get usful output info?

Jouni Forss · ‎01-08-2013

Hi,

But would be better to get the actual log messages of the connection you are attempting as the above output could be about any other FTP connection.

You can also issue "packet-tracer" command on the ASA to see what would happen to the FTP connection regarding firewall rules.

packet-tracer input tcp 21

- Jouni

zhentian1979 · ‎01-08-2013

Thanks Jouni!

I tested it with packet tracer in asdm, it show both outside and inside interface allow packet password through.

here is output from packet-tracer command:

ASA# packet-tracer input outside tcp 125.177.177.222 5915 XXX.XXX.XXX.XX 21

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in XXX.XXX.XXX.XX 255.255.254.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 102 in interface outside
access-list 102 extended permit tcp any host XXX.XXX.XXX.XX object-group DM_INLINE_TCP_1
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1330160, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Jouni Forss · ‎01-09-2013

Hi,

So seems to me the firewall rules are fine regarding the FTP Control connection (TCP/21)

Next would be good to monitor a connection attempt through the ADSM Monitor/Logging. (Logging level atleast informational)

Look for the "Built" and "Teardown" messages of a single FTP connection attempt and see if you could copy paste the "Teardown" log message for the TCP connection attempt here on the forums.

Provided you see the connection attempt on the ASA logs ofcourse.

- Jouni

zhentian1979 · ‎01-09-2013

I can see log from asdm like below:

6 Jan 09 2013 09:19:17 125.177.177.222 1978 XXX.XXX.XXX.XX 21 Teardown TCP connection 1343807 for outside:125.177.177.222/1978 to inside:XXX.XXX.XXX.XX/21 duration 0:00:30 bytes 0 SYN Timeout

6 Jan 09 2013 09:19:13 125.77.177.222 1980 XXX.XXX.XXX.XX 21 Built inbound TCP connection 1344013 for outside:125.177.177.222/1980 (125.177.177.222/1980) to inside:XXX.XXX.XXX.XX/21 (XXX.XXX.XXX.XX/21)

Jouni Forss · ‎01-09-2013

Hi,

This basically means that the ASA firewalls seens the SYN of the initial FTP connection attempt from the Internet.

But on the other hand it tells that ASA doesnt see any reply from the actual FTP server behind it.

So it would seem the problem is somewhere behind the ASA since the connection has come through the Router and ASA just fine

- Jouni

ryannexsen · ‎06-09-2016