Opening Port Range ASA5505

grockin50 · ‎03-27-2013

Hello all! I just bought a Cisco ASA5505 and I'm a bit of a newbie. I'm trying to opening a port range through CLI, but it doesn't seem to be working. Any feedback would be appreciated thanks!

Background:
I have an FTP Server running behind the firewall and need to allow port ranges 30000-30100 for data connections. I have been using FTP through the command prompt and its working. However, I cannot use it through the FileZilla client as it fails to query the directories. I have the ASA forwarding to port 1125 from 21 in passive mode.

Access-List:

access-list Outside_Access_In line 3 extended permit tcp any any eq ftp-data (hitcnt=0) 0xfa8ed43d

access-list Outside_Access_In line 4 extended permit tcp any any eq ftp (hitcnt=17) 0x56ee42e8

access-list Outside_Access_In line 5 extended permit tcp any any eq 1125 (hitcnt=31) 0xe5b36f5d

access-list Outside_Access_In line 6 extended permit tcp any object Eric_PC range 30000 31000 (hitcnt=0) 0x0210a864

access-list Outside_Access_In line 6 extended permit tcp any host 192.168.0.6 range 30000 31000 (hitcnt=1) 0x0210a864

Objects:

object service FTP_DATA_CONNECTIONS

service tcp source range 30000 30100

Troubleshooting:
I did a packet trace and it seems to fail at the NAT phase.

1 (inside) to (outside) source static any any destination static interface Eric_PC service FTP_DATA_CONNECTIONS FTP_DATA_CONNECTIONS

translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static SRV_FTP interface service tcp 1125 ftp

translate_hits = 0, untranslate_hits = 31

Julio Carvajal · ‎03-27-2013

Hello Eric,

You should not need to open those ports so the data connections start to work, that is the whole purpose of a deep packet inspection firewall as the ASA

Can you share the show run policy-map ?

All you will need to allow is the control channel connection from out to in, do you undestand me?

Regards,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

grockin50 · ‎03-27-2013

Thanks Julio. I'm still a bit lost on the control channel connection. Here's the policy map:

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

Julio Carvajal · ‎03-27-2013

Hello Erick,

Okey let me explain you:

policy-map global_policy

class inspection_default

inspect ftp

You already have that so , what is that saying???

Is basically saying if you receive a FTP packet ( Control-channel packet) inspect that connection if it's allowed by the ASA security checks ( ACLs,NAT,RFP,etc,etc,etc) so you can open the required port ranges without you being forced to create an ACL.

Dinamically,, Do you see the magic now

So in order for us to fix this, here is the information I will need:

1) Are u 100% sure you are running FTP on passive mode?

2) Can you share the NAT rule you did for the FTP server private IP address and Public IP address

3) Can you share the entire packet-tracer result

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

grockin50 · ‎03-27-2013

Thanks, your explanation was easy to understand. I double checked the settings and confirmed it's running in passive-mode. I copied the output of the packet tracer command and I hope I did it correctly. Prior to installing the ASA I was able to use the FTP server without an issue.

object network SRV_FTP
host 192.168.0.6

object network SRV_FTP

nat (inside,outside) static interface service tcp 1125 ftp

packet-tracer input outside tcp x.x.x.x ftp 192.168.0.6 ftp detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb4bc2d0, priority=1, domain=permit, deny=false
        hits=103874, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_Access_In in interface outside
access-list Outside_Access_In extended permit tcp any any eq ftp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb508bb0, priority=13, domain=permit, deny=false
        hits=0, user_data=0xc9619000, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb4c01c8, priority=0, domain=inspect-ip-options, deny=true
        hits=1497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbd7b4e8, priority=70, domain=inspect-ftp, deny=false
        hits=1, user_data=0xcbd7ade8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbf93b18, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=17, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb49c078, priority=0, domain=host-limit, deny=false
        hits=14, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network 0.0.0.0
nat (inside,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbf83a58, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xcb5055a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

grockin50 · ‎03-27-2013

packet-tracer input outside tcp x.x.x.x ftp-data 192.168.0.6 ftp-data

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_Access_In in interface outside
access-list Outside_Access_In extended permit tcp any any eq ftp-data
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network 0.0.0.0
nat (inside,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvajal · ‎03-27-2013

Hello

object network SRV_FTP
host 192.168.0.6

object network SRV_FTP

nat (inside,outside) static interface service tcp 1125 ftp

So, SRV_FTP is the internal IP address of the FTP server

What is that 1125 service used on the NAT statement?

do the following:

object service ftp_1

service tcp source eq 21

nat (inside,outside) 1 source static SRV_FTP interface service ftp_1 ftp_1

Then give it a try

packet-tracer input outside tcp 4.2.2.2 1025 Outside_ASA_IP_ADDRESS 21

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

grockin50 · ‎03-27-2013

I have the FTP server running on port 1125. So essentially I'm forwarding port 21 to 1125. After adding the nat (inside,outside) 1 source static SRV_FTP interface service ftp_1 ftp_1 statement the FTP wouldn't connect anymore. After removing the statement I was able to connect. Here is also the log from the FTP client. Thanks!

Status: Connection established, waiting for welcome message...

Response: 220 Eric's File Server

Command: USER eric

Response: 331 Password required for eric.

Command: PASS *******

Response: 230 User Eric logged in.

Status: Server does not support non-ASCII characters.

Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/" is current directory.

Command: TYPE I

Response: 200 Type set to I.

Command: PASV

Response: 227 Entering Passive Mode (108,27,79,125,117,88)

Command: LIST

Error: Connection timed out

Error: Failed to retrieve directory listing

ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 192.168.1.9 21

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SRV_FTP
nat (inside,outside) static interface service tcp 1125 ftp
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.9/21 to 192.168.0.6/1125

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_Access_In in interface outside
access-list Outside_Access_In extended permit tcp any any eq 1125
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SRV_FTP
nat (inside,outside) static interface service tcp 1125 ftp
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3210, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Julio Carvajal · ‎03-27-2013

Hello Eric,

Port 1025,

Got it

Use the nat you had there as that is what you need ( Did not read you were using port 1025)

So is it working now?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

grockin50 · ‎03-27-2013

It's still failing on listing Surprisely, listing, uploading, and downloading work through command prompt.

Julio Carvajal · ‎03-27-2013

Hello Eric,

So everything works except the listing... Uploading and downloading works just fine...

We can see that the inspection is there, the NAT is properly setup, ACL's are good.

Then we will need to run captures to see what happens when you do a list request

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Can you create a capture on both inside and outside interface matching this traffic ( as specific as possible) so we can see what happens here,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

grockin50 · ‎03-27-2013

Sorry if I wasn't clear on the issue. With the FTP client, it doesn't work because the first thing it tries to do is list the directory contents upon connecting and it disconnects after the list command fails. Doing FTP through command prompt results in no issues which is odd.

Julio Carvajal · ‎03-27-2013

Hello Eric,

Then it could be an application problem,

Can you do the captures first with the FTP client..?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

grockin50 · ‎03-28-2013

The FTP server worked before putting the ASA in. I took logs from the bulletproof server unfortunately they are not in-depth and also I tried a different FTP client and got a little more information on the port it's trying to connect to. Also, is this normal for the FTP policy map?

ciscoasa(config)# show run policy-map type inspect ftp
!
!

From BulletProof FTP server application:

2013-03-28 09:06:33 - (not logged in) [000043] [outside IP] - INFO: ftp-client connection made from IP:192.168.0.6
2013-03-28 09:06:33 - (not logged in) [000043] [outside IP] - INFO: sending welcome message to client (MOTD).
2013-03-28 09:06:33 - (not logged in) [000043] [outside IP] - 220 Eric's File Server
2013-03-28 09:06:33 - (not logged in) [000043] [outside IP] - USER eric
2013-03-28 09:06:33 - (not logged in) [000043] [outside IP] - 331 Password required for eric.
2013-03-28 09:06:33 - (not logged in) [000043] [outside IP] - PASS ********
2013-03-28 09:06:33 - Eric [000043] [outside IP] - INFO: logged in.
2013-03-28 09:06:33 - Eric [000043] [outside IP] - 230 User Eric logged in.
2013-03-28 09:06:33 - Eric [000043] [outside IP] - SYST
2013-03-28 09:06:33 - Eric [000043] [outside IP] - 215 UNIX Type: L8
2013-03-28 09:06:34 - Eric [000043] [outside IP] - PWD
2013-03-28 09:06:34 - Eric [000043] [outside IP] - 257 "/" is current directory.
2013-03-28 09:06:34 - Eric [000043] [outside IP] - PASV

2013-03-28 09:06:34 - Eric [000043] [outside IP] - 227 Entering Passive Mode (x,x,x,x,117,144)

2013-03-28 09:06:34 - Eric [000043] [outside IP] - LIST

2013-03-28 09:07:05 - Eric [000043] [outside IP] - ABOR

2013-03-28 09:07:05 - Eric [000043] [outside IP] - 426 Cannot retrieve. Failed. Aborting

2013-03-28 09:07:05 - Eric [000043] [outside IP] - 226 ABOR command successful.

2013-03-28 09:07:09 - Eric [000043] [outside IP] - QUIT

2013-03-28 09:07:09 - Eric [000043] [outside IP] - 221 Goodbye.

2013-03-28 09:07:09 - Eric [000043] [outside IP] - INFO: user disconnected gracefully. (00:00:36)

From CoreFTP client:
Connect socket #924 to x.x.x.x, port 21...
220 Eric's File Server
331 Password required for eric.
230 User Eric logged in.
215 UNIX Type: L8
Keep alive off...
257 "/" is current directory.
227 Entering Passive Mode (x,x,x,x,117,144)
LIST
Connect socket #964 to x.x.x.x, port 30096...
timeout
426 Cannot retrieve. Failed. Aborting
226 ABOR command successful.
221 Goodbye.

Julio Carvajal · ‎03-28-2013

Hello Eric,

In order to proceed with this we will need the captures I have requested,

That will let us know what is going on

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC