Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1842
Views
0
Helpful
3
Replies

ASA5505 for passive FTP

Jasbryan1
Level 1
Level 1

‎04-19-2012 06:19 PM - edited ‎03-11-2019 03:56 PM

Need assistance setting up ASA to allow passive FTP connection!

I can get the FTP client to connect but it does not pull the directories. I have opened 21 and range of 55536-55566. I had some trouble gettting the range opened and saved. Normally with other small business routers (GUI) I make sure those ports are forwarded and ftp works. Please advise….

Is the ftp inspection killing connection or is it my config?

ASA Version 8.4(2)

!

hostname ciscoasa

enable password vRLm0eRL2O14iLM6 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

            

!

interface Vlan1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network RDP_Jasbryan.pc

host 10.2.1.250

object network NSS324_Interface

host 10.2.1.252

object network NSS324_FTP

host 10.2.1.252

object network PassivePorts

host 10.2.1.252

object service FTPPassivePorts

service tcp source range 55536 55566 destination range 55536 55566

            

object service FTPpassive

service tcp source range 55536 55566 destination range 55536 55566

object network NSS324passivePorts

host 10.2.1.252

description Port range for ftppassive

object network NSS324-Ports

host 10.2.1.252

object network NSS324passiveports

host 10.2.1.252

object network NETWORK_OBJ_10.5.2.0_24

subnet 10.5.2.0 255.255.255.0

object-group service PassiveFTPports tcp-udp

description FTP_Services

port-object range 55536 55566

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service PassiveDATA tcp

port-object range 55536 55566

access-list OUTSIDE-IN extended permit tcp any host 10.2.1.250 eq 3389

access-list OUTSIDE-IN extended permit tcp any host 10.2.1.252 eq https

access-list OUTSIDE-IN extended permit tcp any host 10.2.1.252 eq ftp

access-list OUTSIDE-IN extended permit object-group TCPUDP any host 10.2.1.252 object-group PassiveFTPports

pager lines 24

            

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool CiscoVpnPool 10.5.2.1-10.5.2.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.5.2.0_24 NETWORK_OBJ_10.5.2.0_24 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network RDP_Jasbryan.pc

nat (inside,outside) static interface service tcp 3389 1025

object network NSS324_Interface

nat (inside,outside) static interface service tcp https 1026

object network NSS324_FTP

nat (inside,outside) static interface service tcp ftp 1030

object network NSS324-Ports

nat (any,outside) static interface

!

nat (inside,outside) after-auto source static NSS324-Ports interface service FTPPassivePorts FTPPassivePorts

access-group OUTSIDE-IN in interface outside

timeout xlate 3:00:00

            

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.2.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 10.2.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 20

console timeout 0

vpn-addr-assign local reuse-delay 120

dhcpd auto_config outside

!

dhcpd address 10.2.1.5-10.2.1.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

            

webvpn

group-policy Ciscovpn internal

group-policy Ciscovpn attributes

dns-server value 10.2.1.254

vpn-tunnel-protocol ikev1

default-domain value Axmatrix.local

username Jasbryan password 9mPl6NE1miJAPDrn encrypted privilege 15

tunnel-group Ciscovpn type remote-access

tunnel-group Ciscovpn general-attributes

address-pool CiscoVpnPool

default-group-policy Ciscovpn

tunnel-group Ciscovpn ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

            

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect ftp

class class-default

user-statistics accounting

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

            

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2196760a7eb1686ef5d0f57ba8dbdcca

: end

ciscoasa#   

Thanks in advanced

Jason

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-19-2012 07:32 PM

Hello Jason lest do captures to see what is going on on this connections as the config looks good

You will need to create one capture on the inside interface then one on the outside.

Afterwards download them as a PCAP file and finally upload them to this case.

Regards

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jasbryan1
Level 1
Level 1
In response to Julio Carvajal

‎04-24-2012 06:40 PM

Julio,

Thanks for responding - trying to get some time to run captures on both side. When i get them i will repost.

Thanks,

  Jason

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Jasbryan1

‎04-24-2012 11:15 PM

Hello Jason,

Sure, I will wait.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card