Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2819
Views
9
Helpful
10
Replies

ASA 8 MPF FTP Inspection Blocks FTP over SSL

Go to solution
Mike Hendriks
Level 1
Level 1

‎01-26-2011 01:49 PM - edited ‎03-11-2019 12:40 PM

I followed the Configuration Example below to configure MPF FTP inspection with regular expressions.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aee442.shtml

I recently had a user complain that they were unable to connect to an FTP site despite my explicit allowance in the configuration.  See the attached image for the output they provided me.

The following is my MPF configuration for FTP.  Any advice would be appreciated.  Thanks in advance,

regex FTP_SITE1 "([0-9A-Za-z])*[Ff][Tt][Pp]\.[Aa][Kk][Cc][Ee][Ll][Ee][Rr][Aa][Nn][Tt]\.[Cc][Oo][Mm]"
regex FTP_SITE2 "Davis \+ Henderson"
regex FTP_SITE3 "Fincentric Secure FTP"

class-map type regex match-any FTP_SITES
match regex FTP_SITE1
match regex FTP_SITE2
match regex FTP_SITE3


class-map type inspect ftp match-all FTP_class_map
match not server regex class FTP_SITES


class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
  inspect ftp


policy-map type inspect ftp FTP_INSPECT_POLICY
parameters
class FTP_class_map
  reset log

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Mike Hendriks

‎01-26-2011 03:14 PM

Mike,

Most likely the behavior of this FTP connection is not compliant with FTP RFCs and that's why the ASA drops the connection (caused by the strict option)

Please check this link for the FTP inspection behavior:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1821726

Check for the ASA ''capture'' command.

Federico.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-26-2011 01:57 PM

Mike,

The FTP site that the user is trying to access is one of the FTP_SITES?

The global_policy is inspecting FTP (default inspection).

The FTP_INSPECT_POLICY resets FTP for the class FTP_class_map but do you have it applied with the

service-policy?

If you issue a ''show service-policy inspect ftp'' it will show if the ASA is dropping or

resetting the FTP packets.

Federico.

Go to solution
Mike Hendriks
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-26-2011 02:27 PM

Apologies...

First, my inspect ftp line should actually read

inspect ftp strict FTP_INSPECT_POLICY

The config I pasted in was the workaround I'm using.

Second, see the following output from Core FTP when attempting to connect, as well as the output from the show service-policy inspect ftp

Core FTP

Resolving ftp2.fincentric.com... 
Connect socket #1140 to 72.15.150.51, port 21...
220 Fincentric Secure FTP for WinSock ready... 
AUTH SSL 
234 AUTH command OK. Initializing SSL connection. 
SSL/TLS error - 0, SSL error - 1, error:00000001:lib(0):func(0):reason(1)  
Winsock error 10060 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  ) 
SSL Connection not established
Connection Failed
disconnected

ASA show service-policy inspect ftp

tritcasa5510# show service-policy inspect ftp

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp strict FTP_INSPECT_POLICY, packet 17, drop 8, reset-drop 0
               Cmd not terminated drop          8
        class FTP_class_map
          reset log, packet 0

I'm not entirely sure what to make of the 8 drops and cmd not terminated drop counters.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Mike Hendriks

‎01-26-2011 02:46 PM

From the error:
(A connection attempt failed because the connected party did not properly respond after a period of time,
or established connection failed because connected host has failed to respond.  ) 
Could it have been that there was no response from the server?

If on the other hand, FTP is behaving in a way that the ASA will not accept (FTP inspection), we can capture the traffic and check the reason:

access-list FTPin permit ip host x.x.x.x host y.y.y.y
access-list FTPin permit ip host y.y.y.y host x.x.x.x
capture capin access-list FTPin interface inside

access-list FTPout permit ip host x.x.x.x host y.y.y.y
access-list FTPout permit ip host y.y.y.y host x.x.x.x
capture capout access-list FTPout interface outside

Federico.

Go to solution
Mike Hendriks
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-26-2011 03:03 PM 

coto.fusionet wrote:
From the error: 
(A connection attempt failed because the connected party did not properly respond after a period of time,
or established connection failed because connected host has failed to respond.  )  
Could it have been that there was no response from the server?

If I change inspect ftp strict FTP_INSPECT_POLICY to simply inspect ftp, the connection works normally.

I will set up the capture and report back... I'm not familiar with what those commands do - Will this create a .cap file in the ASA's file system or something similar?

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Mike Hendriks

‎01-26-2011 03:05 PM

Yes, and you can view the capture on the ASA itself, but it's way better to export them to Wireshark.

Here's the explanation:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c1.html#wp2147322

Federico.

Go to solution
Mike Hendriks
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-26-2011 03:08 PM

That link is apparently forbidden to me??

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Mike Hendriks

‎01-26-2011 03:14 PM

Mike,

Most likely the behavior of this FTP connection is not compliant with FTP RFCs and that's why the ASA drops the connection (caused by the strict option)

Please check this link for the FTP inspection behavior:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1821726

Check for the ASA ''capture'' command.

Federico.

0 Helpful

Go to solution
Mike Hendriks
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-26-2011 03:52 PM

Thanks Federico, based on that link, I would tend to agree with you.  ASA FAQs also indicate that strict inspection is not supported with FTPS.

Unfortunately, this also forces me to disable my regexp filtering as I am unable to specify a policy-map name with the inspect ftp command unless I also specify the strict keyword.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Mike Hendriks

‎01-26-2011 05:46 PM

Mike, you're right but if the problem is with this one site, you can specify the FTP inspection to apply to all destinations but this one...

Not sure if it will work for you, just a thought.


Federico.

0 Helpful

Go to solution
Mike Hendriks
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-27-2011 04:01 PM

I would be very interested as it does appear that only this one site is affected.  Unfortunately, looking at the config, it seems a little bit beyond my understanding of the ASA's MPF.  Any insight into that process you may have would be appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card