12-05-2017 12:15 PM - edited 02-21-2020 06:54 AM
Hi Guys,
I have been able to connect to my FTP server just fine. I started loosing connection to the server as soon as I log on. I have tried several workstations on the network and I am faced with the same problem. I haven't changed any configuration but we have experienced a power outage before this problem. My FTP server address is 12.218.61.83. I've been scratching my head for the last couple of days to figure out whats wrong but I cant seem to put my hand on anything.
interface GigabitEthernet0/0 nameif AT&T security-level 0 ip address 12.218.61.82 255.255.255.248 ! interface GigabitEthernet0/1 nameif 123.net security-level 0 ip address 152.160.54.66 255.255.255.248 ! interface GigabitEthernet0/2 nameif LAN-Inside security-level 100 ip address 10.11.254.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif LAN-Wired security-level 100 ip address 10.80.253.2 255.255.255.252 ! interface GigabitEthernet0/4 nameif WLAN-Guest security-level 100 ip address 192.168.4.1 255.255.255.0 ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 no ip address ! boot system disk0:/asa962-smp-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring object network FTP-Server-Backup host 10.11.254.210 description Backup FTP rule object network A_152.160.54.65 host 152.160.54.65 object network NETWORK_OBJ_10.11.254.0_24 subnet 10.11.254.0 255.255.255.0 object network NETWORK_OBJ_192.168.160.0_24 subnet 192.168.160.0 255.255.255.0 object network FTP-Server-Private host 10.11.254.210 object network A_12.218.61.83 host 12.218.61.83 object network obj_10.1.10.0 subnet 10.1.10.0 255.255.255.252 object network obj_172.16.0.0 subnet 172.16.0.0 255.255.0.0 object network obj_192.168.160.0 subnet 192.168.160.0 255.255.255.0 object-group network LAN network-object object obj_10.1.10.0 network-object object obj_172.16.0.0 access-list AT&T_access extended permit tcp any4 object FTP-Server-Private eq ftp access-list AT&T_access extended permit tcp any4 object NETWORK_OBJ_10.11.254.0_24 eq 8443 access-list 123.net_access extended permit tcp any4 object FTP-Server-Backup eq ftp access-list Changan_IPSEC_splitTunnelAcl standard permit 10.11.254.0 255.255.255.0 access-list Changan_IPSEC_splitTunnelAcl standard permit 10.1.10.0 255.255.255.252 access-list Changan_IPSEC_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0 access-list sfr_redirect extended permit ip any any pager lines 24 logging enable logging asdm informational mtu AT&T 1500 mtu 123.net 1500 mtu LAN-Inside 1500 mtu LAN-Wired 1500 mtu WLAN-Guest 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any AT&T icmp permit any 123.net icmp permit any LAN-Inside asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 8192 nat (LAN-Inside,123.net) source dynamic any interface nat (LAN-Inside,AT&T) source static NETWORK_OBJ_10.11.254.0_24 NETWORK_OBJ_10.11.254.0_24 destination static NETWORK_OBJ_192.168.160.0_24 NETWORK_OBJ_192.168.160.0_24 no-proxy-arp route-lookup nat (WLAN-Guest,123.net) source static any interface nat (WLAN-Guest,AT&T) source dynamic any interface nat (LAN-Inside,AT&T) source static LAN LAN destination static NETWORK_OBJ_192.168.160.0_24 NETWORK_OBJ_192.168.160.0_24 no-proxy-arp route-lookup nat (LAN-Wired,123.net) source dynamic any interface nat (LAN-Wired,AT&T) source dynamic any interface ! object network FTP-Server-Private nat (LAN-Inside,AT&T) static A_12.218.61.83 no-proxy-arp ! nat (LAN-Inside,AT&T) after-auto source dynamic any interface access-group AT&T_access in interface AT&T access-group 123.net_access in interface 123.net route AT&T 0.0.0.0 0.0.0.0 12.218.61.81 1 track 1 route 123.net 0.0.0.0 0.0.0.0 152.160.54.65 254 track 2 route LAN-Inside 10.1.10.0 255.255.255.252 10.11.254.4 1 route LAN-Wired 10.80.1.0 255.255.255.0 10.80.253.1 1 route LAN-Wired 10.80.3.0 255.255.255.0 10.80.253.1 1 route LAN-Wired 10.80.4.0 255.255.255.0 10.80.253.1 1 route LAN-Inside 172.16.0.0 255.255.0.0 10.11.254.4 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.11.254.0 255.255.255.0 LAN-Inside http 70.62.62.26 255.255.255.255 AT&T http 0.0.0.0 0.0.0.0 AT&T no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho 4.2.2.1 interface AT&T sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 4.2.2.1 interface 123.net num-packets 4 sla monitor schedule 2 life forever start-time now crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map AT&T_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map AT&T_map interface AT&T crypto map 123.net_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map 123.net_map interface 123.net crypto ca trustpool policy crypto ikev1 enable AT&T crypto ikev1 enable 123.net crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 ! track 1 rtr 1 reachability ! track 2 rtr 2 reachability telnet 64.100.11.15 255.255.255.255 WLAN-Guest telnet 64.100.11.0 255.255.255.0 WLAN-Guest telnet 64.0.0.0 255.0.0.0 WLAN-Guest telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 AT&T ssh 10.11.254.0 255.255.255.0 LAN-Inside ssh 10.80.253.0 255.255.255.0 LAN-Wired ssh 10.80.1.0 255.255.255.0 LAN-Wired ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 10.11.254.30-10.11.254.199 LAN-Inside dhcpd dns 12.127.16.67 216.234.97.2 interface LAN-Inside dhcpd lease 86400 interface LAN-Inside dhcpd auto_config AT&T interface LAN-Inside dhcpd enable LAN-Inside ! dhcpd address 192.168.4.100-192.168.4.250 WLAN-Guest dhcpd dns 12.127.16.67 216.234.97.2 interface WLAN-Guest dhcpd enable WLAN-Guest !
12-05-2017 04:20 PM
Hello @hshabany
Can you add inspection on your firewall and test ?
policy-map global_policy
class class_ftp
inspect ftp
-If I helped you somehow, please, rate it as useful.-
12-06-2017 04:41 AM
I have already tried that but still no changes.
12-06-2017 04:49 AM
Could you run a packet tracer ?
packet-tracer input inside tcp "Origin" 12345 "Destination" 21 det
-If I helped you somehow, please, rate it as useful.-
12-06-2017 05:17 AM
So, I've ran packet tracer and traffic seems to pass just fine. Now I am thinking that there is something wrong with my FTP server. I have checked but the server is up and running. scratching my head. Any suggestions?
Thank you.
12-06-2017 05:30 AM
That's good, but, not necessarily this eliminates firewall problem. We can see a lot of problem with firewall and FTP. Even though the firewall is permitting the traffic, some FTP behavior can cause Firewall to drop connection. One good point is inspection, as you said you already have it, we need to keep investigating. But, yes, the FTP server is one possibility for sure.
First, try to identify if you are using Active or Passive FTP mode:
Active mode:
Client opens up command channel from client port 2000(a) to server port 21(b).
Client sends PORT 2001(a) to server and server acknowledges on command channel.
Server opens up data channel from server port 20(b) to client port 2001(a).
Client acknowledges on data channel.
Passive mode:
Client opens up command channel from client port 2000(a) to server port 21(b).
Client sends PASV to server on command channel.
Server sends back (on command channel) PORT 1234(a) after starting to listen on that port.
Client opens up data channel from client 2001(a) to server port 1234(a).
Server acknowledges on data channel.
As you can see there're different behavior in terms of port in different FTP mode and this can cause problem for Firewall.
Please, share the ASA config again but this time attach as txt file.
-If I helped you somehow, please, rate it as useful.-
12-06-2017 07:30 AM
I was able to open a connection to the FTP through a different IP address of the FTP server. So, I figured the problem is limited to the 12.218.61.82 subnet. this is the link between my ASA and ATT modem. The line is up and up. But traffic is not being forwarded to the FTP (12.218.61.83).
12-06-2017 05:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide