10-23-2018 06:36 AM - edited 02-21-2020 08:23 AM
Hai
I have problem with asa not allowing passive ftp directory listing .code 9.6.4
tried with and with out passive command
Also with inspection and with out
show conn
TCP outside 217.160.123.90:65134 inside 172.18.14.27:52034, idle 0:00:04, bytes 0, flags sxaAX
TCP outside 217.160.123.90:21 inside 172.18.14.27:52032, idle 0:00:04, bytes 374, flags UxIOX
TCP outside 217.160.123.90:21 inside 172.18.14.27:52011, idle 0:01:33, bytes 373, flags UfrxIOX
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 99393, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 31 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: netbios, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: icmp, packet 544, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Inspect: ftp strict, packet 449, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 2094103, packet output 2094104, drop 0, reset-drop 0
10-24-2018 12:40 AM
Hello,
If the ftp is outbound, the ftp inspection should not be required. The secondary data connection will be initiated from the client and should pass through unless there is an access-list preventing that connection.
Could you collect wireshark captures from the host machine while attempting to connect so that we can see where this is failing. Please note that this might contain sensitive info.
HTH
AJ
10-24-2018 02:43 AM - edited 10-24-2018 02:46 AM
Dear Ajay
Thanks for the response, i have allowed ports ftp and ftp data on inside interface,tried ftp inspection enabled and disabled and also tried ftp mode passive,here is the wireshark capture after password exchange,on filezilla client i can see login successful and list directory wait and time out.
Do i need to enable any outside acl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide