Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2793
Views
0
Helpful
4
Replies

ASA and FTP

Ivan Adji - Krstev
Level 1
Level 1

‎02-13-2017 01:54 AM

[toc:faq]

Hi all, 

I'm using ASA 5506, and im trying to send the logging to internal FTP Server ( My laptop with Filezilla Server ). So I configured (as usually have done on different ASA and it works ), logging part to be send to FTP Server. 

I have configured on different ways and putting ACL and also check the Service Policy Rules etc. So when I use Packet tracer I get ACL Deny. 

Do you have any idea what else should i check and do. Also from the logging i see the following error:

6 Feb 13 2017 10:08:38 172.16.30.1 33941 172.16.30.180 21 Built outbound TCP connection 775928 for Inside:172.16.30.180/21 (172.16.30.180/21) to identity:172.16.30.1/33941 (172.16.30.1/33941)
3 Feb 13 2017 10:08:38 Failed to save logging buffer to FTP server 172.16.30.180 using filename LOG-2017-02-13-100828.TXT on interface Inside: [Device open error]
6 Feb 13 2017 10:08:38 172.16.30.180 21 172.16.30.1 16039 Teardown TCP connection 775920 for Inside:172.16.30.180/21 to identity:172.16.30.1/16039 duration 0:00:10 bytes 0 SYN Timeout

Any idea ?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎02-13-2017 04:35 AM

Hello Ivan!

A question: What logs do you see in the filezilla server? Error 425?

Regards,

0 Helpful

Ivan Adji - Krstev
Level 1
Level 1
In response to Diana Karolina Rojas

‎02-13-2017 05:43 AM

Hi Marvin Rhoads and anaid_30kadi

Thank you for replying. From Filezilla there are no Error logs. There is no logs that something is happening from the ASA IP. There is a log if i try to open from the browser. So if i can open from the browser im guessing that i have no problems with the firewall on the Windows machine. Also, when i use Wireshark to capture some FTP traffic from source of the ASA IP, i have nothing. I have regular traffic but not FTP. 

I also have the same problem when i try to execute from the ASA itself "copy ftp to flash:" or "copy flash: to ftp". 

Also i have this as Policy rules ( default one )

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options
 inspect icmp
 inspect pptp
 inspect ftp
0 Helpful

Ivan Adji - Krstev
Level 1
Level 1
In response to Diana Karolina Rojas

‎02-20-2017 05:52 AM

Hi Anaid, 

There are no Error logs on Filezilla Server. I think the problem lies on the ASA. It's like the ASA have no FTP Connection on Local subnets or something. But every port is open and everything is allowed. I have placed rule from the local subnet to the local ip address of the FTP Server on IP Level to be allowed. But somehow i get permissions denied and nothing on the Filezilla logs :( 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-13-2017 04:47 AM

I'm not sure packet-tracer can be used to simulate traffic from the ASA. 

I'd first make sure windows firewall is either off or at least allowing incoming FTP traffic  if it is, then do a packet capture on the laptop and look for the traffic  

0 Helpful
Customers Also Viewed These Support Documents