ASA 5515-X - port forwarding and issue with FTPS server

supportgns · ‎11-30-2018

Hi,

I've published a new FTP over TLS server with Windows 2012 R2 and behind an ASA 5515-X. I'm using Passive mode so I configured ports 21 and the range for PASV to permit FTPS traffic. These are the results:

ASA outside IP (Labs network) is x.y.z.12.
FTPS Server has a mapped IP of x.y.z.13 and permitted ports are 21 and 30000-40000 for PASV mode.
Production firewall has an IP of x.y.z.11 in the same public subnet, whose gateway is x.y.z.9.
I can connect from inside production env to the server via ftpes://x.y.z.13:21, I can upload and download files successfully. Certificate has no issues and I'm using FileZilla as FTP client.

This is my issue: when I try to connect from another site with a public IP in a subnet other than production and labs (i.e. my home or a cellular network), I can not connect and FileZilla is just stuck at "Connecting to ftpes://x.y.z.13:21..."

That's weird, I checked Access and NAT Rules, I can ping from anywhere to the ASA outside interface, route exists and it's OK, Lab has Internet access, but FTPS server is not visible. The other thing I noticed is that when seeing real-time logs, I can see when connecting, for example, from inside production to the server, but when trying to connect from a public IP like a.b.c.86 (home public IP), nothing appears in logs. It doesn't even tell me if there's a dropped connection.

Am I doing something wrong? Thanks for your help.

balaji.bandi · ‎11-30-2018

When you mentioned "new FTP over TLS server with Windows 2012 R2 and behind an ASA 5515-X"

and you have mentioned that mapped IP to x.y.z.13 - that means you have windows 2012 Server inside network IP ?

if that is correct do you have NAT for that to translate from Outside IP to inside IP and Access rules in place ?

if my understand wrong, please correct me.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

supportgns · ‎11-30-2018

Hi @balaji.bandi

Yeah, I have FTPS on a Windows Server 2012 R2 in my inside network lab. The IP x.y.z.13 is the public IP mapped to the server.

I have my NAT from Outside to Inside and Access Rules correctly placed.

You are correct.

balaji.bandi · ‎11-30-2018

what is the inside Server IP, can you post the configuration to suggest.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

supportgns · ‎11-30-2018

The inside IP of my server is 172.30.16.97.

I attach the current NAT and Access Rules in ASDM. As you can see, FTP network object corresponds to TCP 21 port and PASV object corresponds to ports 30000-40000 for passive mode.

As I said, I can only connect to the server if my FTP client is behind a NAT device with an outside IP in the same subnet of ASA public IP.

mkazam001 · ‎12-04-2018

here is a base CLI port-forwarding config that I always use & manipulate for different requirements

in this case, we are allowing any ip on internet to access public ip of 100. for web server that is natted to internal dmz ip of 172

object network websvr-ext
host 100.1.1.10
object network websvr-int
host 172.16.0.10
nat (dmz,outside) static websvr-ext service tcp 80 80
access-list outside-in ext permit tcp any object websvr-int eq 80

hope that helps

regards, mk

supportgns · ‎01-03-2019

Finally, I think I found what was happening. It seems like there was an IP conflict, since all our public IPs are used to publish another services. So what I did was replying the scenario but using only private addresses in both inside and outside interfaces, with another ASA unit for lab purposes.

My test:

Inside network: 192.168.0.0/16

Inside FTP server: 192.168.20.97

FTP Server's external address: 172.30.31.19

* The outside network in this scenario is the labs network.

* Same rules used to publish a secure FTP, including passive ports.

Client testing:

Client 1: 172.30.8.71 (in production network)

Client 2: 172.30.60.10 (VPN client connected to Labs network)

It worked for both.