Can you please check if you have "inspect-ftp" in policy-map configuration?  Could you also check if ip address opened in the access-list on the outside interface is "192.168.1.1" real IP address.

What type of FTP are you using? is it active or passive ftp?

How are you trying to access the FTP server? using a FTP client or browser or command prompt?

A good reference links for understanding FTP through firewalls:

http://slacksite.com/other/ftp.html

Thanks,

Sai

Hi Sai,

Thanks for your quick reply.

I do have "inspect ftp" in policy-map configuration

  policy-map global-policy

   class inspection_default

    inspect ftp

  service-policy global-policy global

Sorry, how to 'check if ip address opened in the access-list on the outside interface is "192.168.1.1" real IP address'? I'm sniffing the all the packets going through the outside port on the router.

the remote FTP server is passive ftp.

I tried with Windows Explorer, FileZilla, linux ftp command. Both have no issue. However, ftp command in windows "cmd" give me this error. When I type dir, send, put, get..., server will reply me the error. However, pwd, cd will be fine.

I have another ASA 5505 with 8.0(4), if the traffic go through that firewall, there's no issue and i didn't see any special config on both firewall.

Have you tried removing the "inspect ftp" and giving it a test? Because you are able to connect, authenticate, and when you try to run the commands is when it fails right?

Also, when we talk about the other firewall, do we have the traffic go to the same FTP server through the firewall?

Hope you have also verified the command authorization on the FTP server as well, the user that you are trying to access with has all the rights to run those commands.

Kindly let me know how it goes after removing the inspect ftp from the policy-map configuration.

Thanks,

Sai

I tried remove the "inspect ftp". I still have the issue.

I believe it's not the user permission issue.

The other firewall is another internet gateway for my host. I just change my default gateway to direct my internet traffic to use which firewall.

If I set my default gateway to use old firewall, the i can run all ftp commands without issue. If i change my default gateway to the new firewall which is running on 8.4(1), i got the error.

Could you please provide the running configuration from the ASA?

: Saved

:

ASA Version 8.4(1)11

!

hostname hqfw1

enable password UnmBfOmbpDarmYNc encrypted

passwd UnmBfOmbpDarmYNc encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.10 255.255.255.0

!

interface Vlan999

description LAN Failover Interface

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 999

!

regex domainlist1 "\.hulu\.com"

regex applicationheader "application/.*"

regex contenttype "Content-Type"

boot system disk0:/asa841-11-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

object network subnet-192.168.1.0-24

subnet 192.168.1.0 255.255.255.0

object network NAT-1.1.1.1

host 1.1.1.1

description Office NAT IP

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list ACL_INBOUND remark Migration: End of expansion

access-list inside_access_in extended permit ip any any log disable

access-list inside_access_in remark Migration: End of expansion

access-list inside_mpc extended permit tcp any any eq www

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap informational

logging asdm informational

logging facility 16

logging debug-trace

logging permit-hostdown

mtu inside 1500

mtu outside 1500

failover

failover lan unit primary

failover lan interface fw-failover Vlan999

failover key *****

failover interface ip fw-failover 192.168.255.1 255.255.255.0 standby 192.168.255.2

no monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

!

object network subnet-192.168.1.0-24

nat (inside,outside) dynamic NAT-1.1.1.1

access-group inside_access_in in interface inside

access-group ACL_INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.1.4 source inside prefer

webvpn

username admin password ************* encrypted privilege 15

!

class-map exit

class-map type regex match-any DomainBlockList

match regex domainlist1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map inspection_default

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

class-map httptraffic

match access-list inside_mpc

class-map esmtp

!

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class BlockDomainsClass

  reset log

policy-map global_policy

class inspection_default

  inspect esmtp

policy-map type inspect esmtp esmtp_inspect_map

parameters

match sender-address length gt 320

  log

match MIME filename length gt 255

  log

match cmd line length gt 512

  log

match cmd RCPT count gt 100

  log

match body line length gt 998

  log

policy-map global-policy

class inspection_default

  inspect esmtp esmtp_inspect_map

  inspect ftp

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

!

service-policy global-policy global

service-policy inside-policy interface inside

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

: end

Thanks for sharing the configuration. Configuration looks fine with respect to FTP.

Could you please set up captures on the firewall interface to capture the FTP traffic, so that we may see if firewall is doing anything with the packets..

For setting up captures on the ASA:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Thanks,

Sai

I just captured packets from both new and old asa 5505 with the same ftp request.

Here is the difference shown in wireshark for packet for "dir" command from firewall outside interface to server

Old firewall w/o issue

File Transfer Protocol (FTP)

  PORT 1,1,1,1,153\r\n

     Resuest command: PORT

     Request arg: 1,1,1,1,223,153

     Active IP address: 1.1.1.1 (1.1.1.1)

     Active port: 57241

-----------

New firewall with issue

File Transfer Protocol (FTP)

  PORT 192,168,1,1,19,139\r\n

     Resuest command: PORT

     Request arg: 192.168,1,1,19,139

     Active IP address: 192.168.1.1 (192.168.1.1)

     Active port: 5003

     Active IP NAT: True

Hey,

Can you send the output of show service-policy from the ASA that you are seeing the problem on? Have you given a try at reloading the ASA and see if it makes a difference?

Regards,

Prapanch

Sorry, I couldn't provide the originate output, coz i just updated the ios to 8.4(2) and configuration is also changed. But once i update the ios, the issue was gone without changing any config.

I tried reload the device several times.

No Problem. Glad to know it's resolved. :-)

Regards,

Prapanch