Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1438
Views
5
Helpful
7
Replies

ASA blocking my FTP connection

hshabany
Level 1
Level 1

‎12-05-2017 12:15 PM - edited ‎02-21-2020 06:54 AM

Hi Guys,

I have been able to connect to my FTP server just fine. I started loosing connection to the server as soon as I log on. I have tried several workstations on the network and I am faced with the same problem. I haven't changed any configuration but we have experienced a power outage before this problem. My FTP server address is 12.218.61.83. I've been scratching my head for the last couple of days to figure out whats wrong but I cant seem to put my hand on anything.

 

interface GigabitEthernet0/0
 nameif AT&T
 security-level 0
 ip address 12.218.61.82 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif 123.net
 security-level 0
 ip address 152.160.54.66 255.255.255.248 
!
interface GigabitEthernet0/2
 nameif LAN-Inside
 security-level 100
 ip address 10.11.254.1 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif LAN-Wired
 security-level 100
 ip address 10.80.253.2 255.255.255.252 
!
interface GigabitEthernet0/4
 nameif WLAN-Guest
 security-level 100
 ip address 192.168.4.1 255.255.255.0 
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 no ip address
!
boot system disk0:/asa962-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network FTP-Server-Backup
 host 10.11.254.210
 description Backup FTP rule
object network A_152.160.54.65
 host 152.160.54.65
object network NETWORK_OBJ_10.11.254.0_24
 subnet 10.11.254.0 255.255.255.0
object network NETWORK_OBJ_192.168.160.0_24
 subnet 192.168.160.0 255.255.255.0
object network FTP-Server-Private
 host 10.11.254.210
object network A_12.218.61.83
 host 12.218.61.83
object network obj_10.1.10.0
 subnet 10.1.10.0 255.255.255.252
object network obj_172.16.0.0
 subnet 172.16.0.0 255.255.0.0
object network obj_192.168.160.0
 subnet 192.168.160.0 255.255.255.0
object-group network LAN
 network-object object obj_10.1.10.0
 network-object object obj_172.16.0.0
access-list AT&T_access extended permit tcp any4 object FTP-Server-Private eq ftp 
access-list AT&T_access extended permit tcp any4 object NETWORK_OBJ_10.11.254.0_24 eq 8443 
access-list 123.net_access extended permit tcp any4 object FTP-Server-Backup eq ftp 
access-list Changan_IPSEC_splitTunnelAcl standard permit 10.11.254.0 255.255.255.0 
access-list Changan_IPSEC_splitTunnelAcl standard permit 10.1.10.0 255.255.255.252 
access-list Changan_IPSEC_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0 
access-list sfr_redirect extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu AT&T 1500
mtu 123.net 1500
mtu LAN-Inside 1500
mtu LAN-Wired 1500
mtu WLAN-Guest 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any AT&T
icmp permit any 123.net
icmp permit any LAN-Inside
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (LAN-Inside,123.net) source dynamic any interface
nat (LAN-Inside,AT&T) source static NETWORK_OBJ_10.11.254.0_24 NETWORK_OBJ_10.11.254.0_24 destination static NETWORK_OBJ_192.168.160.0_24 NETWORK_OBJ_192.168.160.0_24 no-proxy-arp route-lookup
nat (WLAN-Guest,123.net) source static any interface
nat (WLAN-Guest,AT&T) source dynamic any interface
nat (LAN-Inside,AT&T) source static LAN LAN destination static NETWORK_OBJ_192.168.160.0_24 NETWORK_OBJ_192.168.160.0_24 no-proxy-arp route-lookup
nat (LAN-Wired,123.net) source dynamic any interface
nat (LAN-Wired,AT&T) source dynamic any interface
!
object network FTP-Server-Private
 nat (LAN-Inside,AT&T) static A_12.218.61.83 no-proxy-arp
!
nat (LAN-Inside,AT&T) after-auto source dynamic any interface
access-group AT&T_access in interface AT&T
access-group 123.net_access in interface 123.net
route AT&T 0.0.0.0 0.0.0.0 12.218.61.81 1 track 1
route 123.net 0.0.0.0 0.0.0.0 152.160.54.65 254 track 2
route LAN-Inside 10.1.10.0 255.255.255.252 10.11.254.4 1
route LAN-Wired 10.80.1.0 255.255.255.0 10.80.253.1 1
route LAN-Wired 10.80.3.0 255.255.255.0 10.80.253.1 1
route LAN-Wired 10.80.4.0 255.255.255.0 10.80.253.1 1
route LAN-Inside 172.16.0.0 255.255.0.0 10.11.254.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.254.0 255.255.255.0 LAN-Inside
http 70.62.62.26 255.255.255.255 AT&T
http 0.0.0.0 0.0.0.0 AT&T
no snmp-server location
no snmp-server contact
sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.1 interface AT&T
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 4.2.2.1 interface 123.net
 num-packets 4
sla monitor schedule 2 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map AT&T_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AT&T_map interface AT&T
crypto map 123.net_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map 123.net_map interface 123.net
crypto ca trustpool policy
crypto ikev1 enable AT&T
crypto ikev1 enable 123.net
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet 64.100.11.15 255.255.255.255 WLAN-Guest
telnet 64.100.11.0 255.255.255.0 WLAN-Guest
telnet 64.0.0.0 255.0.0.0 WLAN-Guest
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 AT&T
ssh 10.11.254.0 255.255.255.0 LAN-Inside
ssh 10.80.253.0 255.255.255.0 LAN-Wired
ssh 10.80.1.0 255.255.255.0 LAN-Wired
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.11.254.30-10.11.254.199 LAN-Inside
dhcpd dns 12.127.16.67 216.234.97.2 interface LAN-Inside
dhcpd lease 86400 interface LAN-Inside
dhcpd auto_config AT&T interface LAN-Inside
dhcpd enable LAN-Inside
!
dhcpd address 192.168.4.100-192.168.4.250 WLAN-Guest
dhcpd dns 12.127.16.67 216.234.97.2 interface WLAN-Guest
dhcpd enable WLAN-Guest
!

 

Labels:
0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎12-05-2017 04:20 PM

Hello @hshabany

  Can you add inspection on your firewall and test ?

 

policy-map global_policy
class class_ftp
inspect ftp

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

hshabany
Level 1
Level 1
In response to Flavio Miranda

‎12-06-2017 04:41 AM

I have already tried that but still no changes.

0 Helpful

Flavio Miranda
VIP
VIP
In response to hshabany

‎12-06-2017 04:49 AM

Could you run a packet tracer ?

 

packet-tracer input inside tcp "Origin" 12345 "Destination" 21 det 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

hshabany
Level 1
Level 1
In response to Flavio Miranda

‎12-06-2017 05:17 AM

So, I've ran packet tracer and traffic seems to pass just fine. Now I am thinking that there is something wrong with my FTP server. I have checked but the server is up and running. scratching my head. Any suggestions?

Thank you.

0 Helpful

Flavio Miranda
VIP
VIP
In response to hshabany

‎12-06-2017 05:30 AM

That's good, but, not necessarily this eliminates firewall problem.  We can see a lot of problem with firewall and FTP. Even though the firewall is permitting the traffic, some FTP behavior can cause Firewall to drop connection. One good point is inspection, as you said you already have it, we need to keep investigating. But, yes, the FTP server is one possibility for sure.

 First, try to identify if you are using Active or Passive FTP mode:

 

Active mode:

Client opens up command channel from client port 2000(a) to server port 21(b).
Client sends PORT 2001(a) to server and server acknowledges on command channel.
Server opens up data channel from server port 20(b) to client port 2001(a).
Client acknowledges on data channel.
Passive mode:

Client opens up command channel from client port 2000(a) to server port 21(b).
Client sends PASV to server on command channel.
Server sends back (on command channel) PORT 1234(a) after starting to listen on that port.
Client opens up data channel from client 2001(a) to server port 1234(a).
Server acknowledges on data channel.

 

As you can see there're different behavior in terms of port in different FTP mode and this can cause problem for Firewall.

 

 Please, share the ASA config again but this time attach as txt file.   

 

-If I helped you somehow, please, rate it as useful.-

 

 

hshabany
Level 1
Level 1
In response to Flavio Miranda

‎12-06-2017 07:30 AM

I was able to open a connection to the FTP through a different IP address of the FTP server. So, I figured the problem is limited to the 12.218.61.82 subnet. this is the link between my ASA and ATT modem. The line is up and up. But traffic is not being forwarded to the FTP (12.218.61.83).

0 Helpful

hshabany
Level 1
Level 1
In response to Flavio Miranda

‎12-06-2017 05:52 AM

we are using passive mode to connect to FTP. I have attached a copy of ASA configuration. 

Preview file
11 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card