Solved: Active ftp, ASA 5510

Bert Kelchtermans · ‎11-18-2010

Hi all

I'm having some trouble setting up an active ftp session from inside to outside.

I've read the other topics on the forums, but i can't figure it out myself.

I created some acl's and port forwards, i also configured the inspect FTP in the global policy.

I've attached the running config.

I've someone has a solution, please inform me.

Bert

praprama · ‎11-19-2010

Hi Bert,

Please post the output of "show service-policy". Also, when you try the acive FTP, what are the syslogs you notice on the ASA? Please post debugs in debugging level.

Regards,

Prapanch

View solution in original post

Kureli Sankar · ‎11-20-2010

I am not sure what this below section is doing in the config. I'd remove it.
class class-default
set connection advanced-options tcp-state-bypass
inspect ftp

policy-map global_policy
class class-default
no set connection advanced-options tcp-state-bypass
no inspect ftp

exit

no class class-default

Try the flow again.

-KS

View solution in original post

Kureli Sankar · ‎11-20-2010

Bert,

client--ASA--internet--active ftp server

The reason why active ftp fails is because the data connection is initiated from source port 20 as a brand new connection from the server on the outside - which is on the lower security interface. When the acl applied on the outside does not allow tcp port 20 from the server to your client this will fail because ftp inspection is supposed to open that tcp port 20 coming from the server.

In your case you have some tcp-state-bypass configured which means tcp flow will be like udp flow and not inspected for ftp.

The reason why passive ftp works is because the client on the higher security interface opens up a brand new connection to the server to get the data and by default connections going from high to low security is allowed.

once you remove the tcp-state-bypass lines from the config. Issue a clear local for the client ip. Then try to get the output of this sh service-policy command below

conf t

clear local x.x.x.x

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq 21

where x.x.x.x is the IP of the inside client and y.y.y.y is the IP address of the ftp server on the outside. Make sure the output shows that it will hit the ftp inspection. Then try the flow again. It should work.

-KS

View solution in original post

Federico Coto Fajardo · ‎11-18-2010

Hi Bert,

You have an inside host trying to establish an FTP session to an outside server correct?

If so... the ACL applied to the inside interface should permit outgoing FTP traffic and the response should be allowed by the FTP inspection.

If using Active FTP, the control channel is established from the client, but the data channel comes from the server (and this will be allowed by inspecting FTP).

Question:

If using Passive FTP it works?

Can you PING or access the same server via another service (http, telnet, etc)?

Federico.

Bert Kelchtermans · ‎11-19-2010

Hi Frederico

Yes, we can reach the ftp server via telnet, and passive ftp also works.

The problem is the data coming from the server to port 20.

I you have any iea please let me know.

thank you

Bert

praprama · ‎11-19-2010

Hi Bert,

Please post the output of "show service-policy". Also, when you try the acive FTP, what are the syslogs you notice on the ASA? Please post debugs in debugging level.

Regards,

Prapanch

Kureli Sankar · ‎11-20-2010

I am not sure what this below section is doing in the config. I'd remove it.
class class-default
set connection advanced-options tcp-state-bypass
inspect ftp

policy-map global_policy
class class-default
no set connection advanced-options tcp-state-bypass
no inspect ftp

exit

no class class-default

Try the flow again.

-KS

Bert Kelchtermans · ‎11-20-2010

Thank you for the responses, I will try your suggestions in the comming week

and post the 'show service-policy" as soon as possible.

Bert

Kureli Sankar · ‎11-20-2010

Bert,

client--ASA--internet--active ftp server

The reason why active ftp fails is because the data connection is initiated from source port 20 as a brand new connection from the server on the outside - which is on the lower security interface. When the acl applied on the outside does not allow tcp port 20 from the server to your client this will fail because ftp inspection is supposed to open that tcp port 20 coming from the server.

In your case you have some tcp-state-bypass configured which means tcp flow will be like udp flow and not inspected for ftp.

The reason why passive ftp works is because the client on the higher security interface opens up a brand new connection to the server to get the data and by default connections going from high to low security is allowed.

once you remove the tcp-state-bypass lines from the config. Issue a clear local for the client ip. Then try to get the output of this sh service-policy command below

conf t

clear local x.x.x.x

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq 21

where x.x.x.x is the IP of the inside client and y.y.y.y is the IP address of the ftp server on the outside. Make sure the output shows that it will hit the ftp inspection. Then try the flow again. It should work.

-KS