Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2646
Views
0
Helpful
1
Replies

ASA, issues with an external Active FTP server

morabusa
Level 1
Level 1

‎01-27-2020 02:17 AM - edited ‎01-27-2020 02:19 AM

Hello, I am having issues to allow LAN users to connect to an external FTP server. The issue is that I can see how the user start the connection using the 21 port but then it also tries to open another random port (f.e. 30006, 30007, etc) which are getting blocked. As far I know, if I enable the ftp inspection in the ASA, this extra negotiated port should also be permited but it is not working and I am not sure why. can you please help me? Thank you very much.

Best Regards.

 

 

show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect sip
class global-class
sfr fail-open monitor-only
class class-default
user-statistics accounting
policy-map type inspect sip XXX.XXXXXX.com
parameters
max-forwards-validation action drop log

Labels:
0 Helpful
1 Reply 1

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-27-2020 03:56 PM

Hi,

 

There are two modes of FTP operation, Active & Passive. Active utilizes port 21 for session initiation and 20 on the reply which can be handled easily by ASA with default command " inspect ftp". Passive mode works differently and uses non-standard ports after the session initiation:

 

 

Here's how passive mode works in a nutshell:

  1. The client connects from a random port to port 21 on the server and issues the PASV command. The server replies, indicating which (random) port it has opened for data transfer. 

  2. The client connects from another random port to the random port specified in the server's response. Once connection is established, data transfers are made through these client and server ports.

 

To handle this, you need to capture the port or range of ports used in your FTP connection then you need to allow it as mentioned in the below steps:

-

access-list ftp-list extended permit tcp any any eq XXXX

  or

access-list ftp-list extended permit tcp any any gt 1000
!
class-map ftp-class
match access-list ftp-list
!
policy-map global_policy
class ftp-class
inspect ftp

!

 

you can refer to below document which further explain how to capture the ports. Usually these ports utilize higher number ports greater than 1000

 

https://www.cisco.com/c/en/us/support/docs/content-networking/file-transfer-protocol-ftp/200194-ASA-9-x-Configure-FTP-TFTP-Services.html#anc10

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card