12-31-2013 11:50 AM - edited 03-11-2019 08:23 PM
ASA 5525
Version 9.1(2)
We have an ftp server that I've set the passive ports to a specific range (10000-11000) when the ftp server hands the packet off to the ASA the PASV command gives local address, and port within range specfieid. The asa hands the packet out with public address (a good thing) and changes the port to random one > 1024 (bad thing)
E.G (ip's changed, all else as seen in capture)
(ingress packet) from ftp server into ASA, giving out port 10022-good
35 1.051115 192.168.1.225 75.252.75.231 FTP 101 Response: 227 Entering Passive Mode (192,168,1,225,39,38)
(egress packet)PASV command to show public IP, and changes port to 16185-bad
36 1.051176 4.4.4.165 75.252.75.231 FTP 104 Response: 227 Entering Passive Mode (4,4,4,165,63,57).
Is it possible to change the ftp inspection so that it will leave the port as is instead of choosing a random one? For various reasons, I need to nat the other high level ports differently.
Thanks,
01-01-2014 06:47 AM
will this help probably?
https://supportforums.cisco.com/thread/2166619
---
Posted by WebUser Erik Boss from Cisco Support Community App
01-02-2014 07:47 AM
Thanks for the response, I checked that and I believe that's for if you use a non standard control port. We are using 21 for control port so need to leave it inspecting 21.
01-02-2014 08:21 AM
Hi,
Are you saying that the when the Client connects to the FTP server and the server replies to the Client to inform of the actual Data port the ASA changes that port so that its no more from the range 10000-11000?
Sadly I have not had to troubleshoot FTP that many times. Usually its been a problem either on the Client or Server end rather than the ASA. Once I have had problems with Active FTP through an ASA running 8.4(1) because of a bug related to the multicore models of ASAs but nothing like you are describing.
If the ASA is truly sending wrong port information to the Client then I am not sure if that can be changed with a configuration? Seems to me more like a bug? Though again I have to say that I have not had to troubleshoot FTP that often. Most of the time the ASA has handled all FTP traffic just fine without any special modifications to the configurations.
I was originally thinking that this could be corrected simply by creating translations for the source ports that the FTP server uses for the actual Data connections but if the problem is that the Client will connect to the wrong port then that wont help with the problem at all.
Have you considered trying with some other software level?
Do you have any additional ASA equipment that could be used to lab/test this problem with different software levels?
- Jouni
01-02-2014 09:51 AM
Are you saying that the when the Client connects to the FTP server and the server replies to the Client to inform of the actual Data port the ASA changes that port so that its no more from the range 10000-11000?
Yes, this is what's happening. The ASA is looking at the PASV command from server, then changes the port before passing along to client.
It's almost like the ASA is adding a temporary PAT for the inside port to a random outside port, and changing the packet with the PASV ftp command to match the new outside port.
Active is working fine, but some of our customers refuse to make changes on thier end and have it setup to transfer files through Passive FTP. If it was my choice they'd all be on SFTP.
01-03-2014 12:39 AM
Hello Travis,
Does not make any sense.
Can you provide us the NAT configuration you have for the FTP server?
Also do you have captures available when the issue happens from both inside and outside interface that you can attacth to this discussion
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-03-2014 08:40 AM
I agree, it's not making sense to me either. I've attached a merged capture file showing the FTP packets. I also attached a screen shot showing the two where it passes the PASV command. Line 27 is Server to inside interface, line 28 is outside interface to client. You can see where the ASA is changing the PASV command.
Thanks,
01-03-2014 11:56 AM
Hello,
I am still missing the ASA configuration.
Can you share that?
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-04-2014 03:38 PM
I am not using version 8.0(4) on Pix firewall and I am not seeing this issue. It might be a bug in version 9.1
have you tried something like this:
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255 norandomseq nailed
Basically it tells the ASA not to randomize the tcp sequence.
08-19-2016 01:00 PM
Non standard passive ftp.
access-list FTP-LIST extended permit tcp any any range 10021 10022
access-list FTP-LIST extended permit tcp any any range 50000 50019
class-map FTP-CLASS
match access-list FTP-LIST
policy-map global_policy
class FTP-CLASS
inspect ftp
This did not effect the original "inpsect ftp" under the default policy ex:
"policy-map global_policy
class inspection_default
inspect ftp"
sho service-policy inspect ftp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 1764569221, lock fail 0, drop 0, reset-drop 5585, v6-fail-close 0
Class-map: FTP-CLASS
Inspect: ftp, packet 184, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
HTH anyone doing the search i was.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide