10-15-2013 04:27 AM - edited 03-11-2019 07:52 PM
Hi,
Please be gentle with me as I'm still learning Cisco
I'm trying to configure our Cisco ASA 5505 to allow Active mode FTP connections through. We have a user that uses some bespoke software that connects to a client via FTP in active mode.
When using the packet tracer. The packets fail by the DENY implicit incoming Rule (please see below). This rule looks as though it cannot be editted although as seen in my screen shot there are 2 rules very similiar?
inspect FTP is enabled and always has been enabled.
10-15-2013 04:59 AM
Hi,
Seems according to the above picture that your might be entering wrong information to the "packet-tracer". The Output/Input interface both should NOT be "inside"
If we were to believe the output then it would mean that both the user and the destination server was behind the same interface on the ASA?
Is there a chance to see your firewall configuration in CLI format wihtout any public IP addresses or other sensitive information? This would be the best way for me personally atleast to check any problems with the configurations.
- Jouni
10-15-2013 05:22 AM
Thanks for the reply. Could you confirm the best command to run to confirm this? Show running-config would display all my infomation so is there something that would be better suited?
Thanks
10-15-2013 05:31 AM
10-15-2013 05:47 AM
Hi,
If you are testing outbound FTP connection from your LAN then you should use the following information
This is because the connection initiation for the FTP Control connection (TCP/21) will naturally come from the LAN which is behind the "inside" interface. And the source IP address is naturally the local IP address and the destination IP address the public IP address.
Ports you can leave as they are.
- Jouni
10-15-2013 06:19 AM
Ok, results below say that is sucesfully connected. However, the issue still persists
whats the best command to show my firewall config?
Thanks for your help
10-15-2013 06:57 AM
Just testing a through filezilla i am getting this error message:
Status: Connection established, waiting for welcome message...
Response: 550 No connections allowed from your IP
Error: Critical error
Error: Could not connect to server
Where as through windows explorer it acts as though my credentials are incorrect (although i know they arent as i have tested in a different enviroment)
10-15-2013 07:10 AM
Config attached and removed any public IP's.
ASA Version 8.2(5)
!
hostname ASA5505
domain-name cloud.local
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 192.168.0.73 Metalfab-IT
name 192.168.0.5 W01DC01
name 192.168.0.9 vWorkspace-Broker
name 192.168.0.12 W07DC02
name 192.168.1.18 CMVDI
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 85.13.xxx.xxx 255.255.255.240
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.1
name-server 8.8.8.8
name-server 4.4.2.2
name-server 4.2.2.2
name-server 4.2.2.3
domain-name cloud.local
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 8080
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3389
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3390
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3391
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3399
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0
access-list Split_Tunnel standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPsecVPN 192.168.0.40-192.168.0.45 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https vWorkspace-Broker https netmask 255.255.255.255
static (inside,outside) tcp interface www vWorkspace-Broker www netmask 255.255.255.255
static (inside,outside) tcp interface 444 vWorkspace-Broker 444 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 vWorkspace-Broker 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Metalfab-IT 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 W01DC01 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 W07DC02 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3399 CMVDI 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 85.13.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
default-domain value cloud.local
group-policy admin internal
group-policy admin attributes
dns-server value 192.168.0.5 192.168.0.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value cloud.local
vlan none
vpn-group-policy admin
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool IPsecVPN
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *****
!
class-map in
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:192e2f08647ded2722c23e69cd68ab23
: end
10-15-2013 07:56 AM
Hi,
To be honest if the "packet-tracer" that the intial control connection for the FTP goes through and gets translated and you have FTP Inspection enabled then that should be it for the ASA.
I would consider that the actual problem is on the remote end.
To me the above connection messages seem to indicate that the FTP connection (TCP/21) is formed but the server ends up rejecting it because of some local setting/rule.
So it would seem to me to be more of a problem on the server side.
Maybe the connections formed to this FTP server are limited according to the source IP address? Perhaps the remote end that manages the server have not done something they should.
Naturally as a "final" step you can always capture all traffic from a single connection attempt and those should show you exactly what is exchanged between the client and the server.
- Jouni
10-15-2013 08:03 AM
Thanks very much.
I did suspect this to start with however I wanted to explorer every other avenue before contacting the remote end. I will check with wireshark to get a definitive answer.
10-15-2013 08:09 AM
Hi,
You can also take a capture on the ASA. I guess that is easy to do on the ASDM side.
Naturally when your on the actual host its probably easier just to take the capture there
I guess the capture on the ASA might be usefull in situation where you dont have access to an actual host on the site and are not at the site and want to remotely take the capture from the ASA.
Let me know if you want an example configuration/commands to capture on the ASA.
I tend to use it a lot and I can easily copy the files to my local computer and open them with wireshark.
- Jouni
10-15-2013 08:12 AM
That would be great if you could send me a example. Thanks
10-15-2013 08:26 AM
Hi,
Well in this case since we have a single destination host and can define a specific internal host for the connection also we could just configure the ASA to capture all TCP traffic between the hosts.
First we configure an ACL that tells the ASA what traffic should be captured
access-list FTP-CAP permit tcp host
access-list FTP-CAP permit tcp host
We define the ACL so that it defines both direction of the traffic. Option would be to copy 2 captures. One for each direction. This might be usefull if there is going to be a large amount of traffic as the ASA per capture buffer is capped near 35MB.
Then we use the actual "capture" command
capture FTP-CAP access-list FTP-CAP interface inside buffer 3350000 circular-buffer
In the above comamnd we define the following
The capture configuration above wont show up in the configurations.
One important thing to consider when configuring the ACL is that depending on which interface you take the capture you might have to change the IP address. In this case since we use the local interface the ASA will see the original host IP address. If you were to take the capture from the external interface of the ASA you would have to change the local IP address to the hosts public NAT IP address. And if that NAT IP address is a shared PAT IP it would potentially capture a lot of traffic from others hosts (this is why I used the internal interface/ip in this example)
You can view all the captures and if they have captured any data with command
show capture
You can view the contents of a particular capture by adding the capture name to the command
show capture FTP-CAP
I dont use this much except for simple captures.
To copy the capture a host with TFTP use the following command
copy /pcap capture:FTP-CAP tftp://x.x.x.x/FTP-CAP.pcap
To remove the capture and its data use
no capture FTP-CAP
You will have to remove the ACL separately
Hope this helps
Please let us know when you hear back from the remote end.
- Jouni
10-15-2013 08:52 AM
Hi Jouni,
Awesome command/trick you've got!
Do you happen to create a CSC doc for this? :)
Sent from Cisco Technical Support iPhone App
10-15-2013 09:07 AM
Hi,
There is one older document made here on CSC regarding captures
https://supportforums.cisco.com/docs/DOC-1222
Though naturally that doesnt stop from making my own.
I would still have a lot to add my NAT document on the CSC but just can't seem to find the correct time/moment to go into that. Maybe its because I work all day and then go home and start replying to posts on the CSC I must be mad
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide