02-11-2010 12:04 PM - edited 03-11-2019 10:08 AM
I am trying to work on a ASA5505 that is preventing connection to a FTP server on the inside interface. I have gone through the config and config examples on the site, but I'm missing something.
The server is at 192.168.3.205 internally. There are static maps and access list entries for ftp, ftp-data, and a range of ports (41100-41110) that were configured for passive FTP connections. Still, whenever you attempt to connect from outside, it just times out.
Here is the config (IPs and such obscured obviously). Any suggestions would be well appreciated to get this thing working.
Thanks.
---
ASA5505 Config:
ASA Version 7.2(2)
!
hostname My-ASA
domain-name group.local
enable password xxxxxxxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.73 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name group.local
same-security-traffic permit intra-interface
access-list 101 extended permit tcp any host 1.2.3.73 eq ftp-data
access-list 101 extended permit tcp any host 1.2.3.73 eq ftp
access-list 101 extended permit tcp any host 1.2.3.73 eq www
access-list 101 extended permit tcp any host 1.2.3.73 eq https
access-list 101 extended permit tcp any host 1.2.3.73 eq 5481
access-list 101 extended permit tcp any host 1.2.3.73 eq 23232
access-list 101 extended permit tcp any host 1.2.3.73 eq 24242
access-list 101 extended permit tcp any host 1.2.3.73 eq 41100
access-list 101 extended permit tcp any host 1.2.3.73 eq 41101
access-list 101 extended permit tcp any host 1.2.3.73 eq 41102
access-list 101 extended permit tcp any host 1.2.3.73 eq 41103
access-list 101 extended permit tcp any host 1.2.3.73 eq 41104
access-list 101 extended permit tcp any host 1.2.3.73 eq 41105
access-list 101 extended permit tcp any host 1.2.3.73 eq 41106
access-list 101 extended permit tcp any host 1.2.3.73 eq 41107
access-list 101 extended permit tcp any host 1.2.3.73 eq 41108
access-list 101 extended permit tcp any host 1.2.3.73 eq 41109
access-list 101 extended permit tcp any host 1.2.3.73 eq 41110
access-list 101 extended permit tcp any host 1.2.3.74 eq smtp
access-list 101 extended permit tcp any host 1.2.3.74 eq www
access-list 101 extended permit tcp any host 1.2.3.74 eq imap4
access-list 101 extended permit tcp any host 1.2.3.74 eq https
access-list 101 extended permit tcp any host 1.2.3.74 eq 993
access-list 101 extended permit tcp any host 1.2.3.74 eq 3389
access-list 101 extended permit tcp any host 1.2.3.75 eq ftp-data
access-list 101 extended permit tcp any host 1.2.3.75 eq ftp
access-list 101 extended permit tcp any host 1.2.3.75 eq ssh
access-list 101 extended permit tcp any host 1.2.3.75 eq www
access-list 101 extended permit tcp any host 1.2.3.75 eq https
access-list 101 extended permit tcp any host 1.2.3.76 eq www
access-list 101 extended permit tcp any host 1.2.3.76 eq https
access-list 101 extended permit tcp any host 1.2.3.77 eq www
access-list 101 extended permit tcp any host 1.2.3.77 eq https
access-list outside_cryptomap_20.20 extended permit ip any 192.168.133.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn 192.168.133.10-192.168.133.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 1.2.3.74
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 1.2.3.73 ftp-data 192.168.3.205 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 ftp 192.168.3.205 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 www 192.168.3.210 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 https 192.168.3.199 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 5481 192.168.3.3 5481 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 23232 192.168.3.210 ssh netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 24242 192.168.3.199 ssh netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41100 192.168.3.205 41100 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41101 192.168.3.205 41101 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41102 192.168.3.205 41102 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41103 192.168.3.205 41103 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41104 192.168.3.205 41104 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41105 192.168.3.205 41105 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41106 192.168.3.205 41106 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41107 192.168.3.205 41107 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41108 192.168.3.205 41108 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41109 192.168.3.205 41109 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.73 41110 192.168.3.205 41110 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 smtp 192.168.3.1 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 www 192.168.3.1 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 imap4 192.168.3.1 imap4 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 https 192.168.3.1 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 993 192.168.3.1 993 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 3389 192.168.3.2 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.75 ftp-data 192.168.3.201 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.75 ftp 192.168.3.201 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.75 ssh 192.168.3.201 ssh netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.75 www 192.168.3.201 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.75 https 192.168.3.201 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.76 www 192.168.3.202 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.76 https 192.168.3.202 https netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.77 www 192.168.3.203 www netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.77 https 192.168.3.203 https netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host 192.168.3.1
timeout 5
ldap-scope onelevel
group-policy vpn internal
group-policy vpn attributes
wins-server value 192.168.3.1
dns-server value 192.168.3.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
default-domain value group.local
group-policy VPN-RA internal
username admin password xxxxxxxx encrypted privilege 15
username ra password xxxxxxxx encrypted
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set raVPN esp-aes-256 esp-md5-hmac
crypto dynamic-map dyn1 1 match address outside_cryptomap_20.20
crypto dynamic-map dyn1 1 set transform-set raVPN
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool vpn
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4458ffc7d53415403e1ce4b0b328325b
: end
Solved! Go to Solution.
02-11-2010 12:35 PM
If for any reason that doesn't work try this
static (inside,outside) tcp 1.2.3.74 ftp-data 192.168.3.205 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 ftp 192.168.3.205 ftp netmask 255.255.255.255
access-list 101 extended permit tcp any host 1.2.3.74 eq ftp-data
access-list 101 extended permit tcp any host 1.2.3.74 eq ftp
Let me know
02-11-2010 12:27 PM
I would try this
policy-map global_policy
class inspection_default
Inspection ftp
02-11-2010 12:35 PM
If for any reason that doesn't work try this
static (inside,outside) tcp 1.2.3.74 ftp-data 192.168.3.205 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.74 ftp 192.168.3.205 ftp netmask 255.255.255.255
access-list 101 extended permit tcp any host 1.2.3.74 eq ftp-data
access-list 101 extended permit tcp any host 1.2.3.74 eq ftp
Let me know
02-11-2010 01:04 PM
Well, I think that worked. I took out the access-list rules and static maps to the .73 address and put them back in for the .74 and it worked.
Any suggestions why? Because outbound traffic is coming from the .74 address so it mismatches when the ftp server replies?
Thanks for the help.
02-11-2010 01:22 PM
Yes. You are using .73 as inbound but your reply will go out
with the 74 that you are using in the global (Outside) Port forwarding is not bi.directionl but the
normal static is.
So If you have static (IN,OUT) X Y your inside server will be accessed with the X ip and it will go to the internet with th X as well.
If you have static (IN,OUT) tcp X 21 Y 21 this will work only for inbound connections, this way will use the global that you have configured in you case.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide