02-12-2013 09:36 AM - edited 03-11-2019 05:59 PM
on ASA 5505, I would like to allow all traffic for remote network(or servers)(harvesterFTP in a screenshot attached)
for some reason it is not working. it seems it is with implicit rule.
Could anyone give me some advice on this?
Solved! Go to Solution.
02-13-2013 01:37 PM
Hi,
I havent had much problems with FTP connections through the ASA
I think the FTP inspection on the ASA handles the FTP connections.
Do you have the following configuration on the ASA?
policy-map global_policy
class inspection_default
inspect ftp
I can't see any policy-map configuration in your above copy/pasted configuration?
Some thread on the Internet simply state to give "passive" command on the FTP CLI.
- Jouni
02-12-2013 09:45 AM
Hi,
Do you mean that you want to allow traffic to a server behind your ASA5505 from the Internet?
I can only guess that you have the ACL statements wrong somehow.
Sadly the ASDM picture doesnt tell us much since its just using names instead of actual IP address ranges.
Though the output seem abit wierd as you have on your "outside" ACL defined source address as "inside" network and the destination as the FTP server? Shouldnt the source either be "any" or the public source network from which the users are connecting to your server?
To be honest the CLI format of the configurations would be better in this case as we cant tell much from the names in the ASDM picture
We can only tell that the rules you have configured are not getting "hit" or "matched".
- Jouni
02-12-2013 09:51 AM
Also,
I'm not quite sure what the software version you are using. I guess it must be 8.3 or newer since it refers to the Global ACL. (I dont use much ASDM myself)
Basicly if you have configured NAT for one of your servers and want to open connections to it from the Internet you should use the Real IP address as the destination IP address in the ACL
For example
When you create ACL rules with the 8.3 and above softwares you need to allow the traffic from "outside" to the LAN IP address of the server.
- Jouni
02-13-2013 06:25 AM
Jouni,
Thanks a lot for your advise. Below I attached the running configuration. The thing I want to achieve here is to give remote servers(harvesterFTP) access to the internal network. Could you please take a look at the run-config and give me an advise?
:
ASA Version 8.4(4)1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.101.14.146 255.255.255.0
!
interface Vlan5
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network FTPserver1
host 64.147.106.92
object network FTPserver2
host 64.147.106.67
object network HarvesterFTP
subnet 64.147.106.0 255.255.255.0
object-group network Harvester
network-object object FTPserver1
network-object object FTPserver2
object-group network HarvesterNetwork
network-object object HarvesterFTP
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host 64.147.106.67
network-object host 64.147.106.92
object-group network DM_INLINE_NETWORK_3
network-object host 64.147.106.67
network-object host 64.147.106.92
object-group network DM_INLINE_NETWORK_2
network-object object FTPserver1
network-object object FTPserver2
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_3 74.101.14.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.101.14.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 192.168.0.5 68.237.161.12
dhcpd update dns both
!
dhcpd address 192.168.0.15-192.168.0.132 inside
dhcpd dns 192.168.0.5 68.237.161.12 interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:31db376b3dc2ff56c0c43331f6a98293
: end
02-13-2013 06:40 AM
Hi,
Are you saying that
For your servers to be reachable from the Internet you need to configure a Static NAT for each local server so that they have their own public IP address.
If the above is the case I would need following information to give you the configurations
With the above information I could give you the needed configurations.
- Jouni
02-13-2013 08:31 AM
Harvester server is remote servers that I want to give access to our network. I don't need to configure NAT for our internal servers here.
Specifically, I want allow all FTP traffic from external servers below to be able to get in our internal network.
64.147.106.92
64.147.106.67
We are using those remote server to get certain files using FTP automatically but it stopped working since we changed the firewall.
02-13-2013 08:41 AM
Hi,
I'm not totally sure if we are speaking with different terms or what the actual setup is here.
To clarify the situation on my part
So if some remote hosts from the Internet is currently attempting connection towards your network the above ASA configuration simply wont do the job. It cant work since there is no NAT configuration to make the connection initiation from the Internet possible. The existing PAT translation only works for the LAN hosts when they are initiating connection towards the Internet.
Which leads me to believe that you have had some kind of NAT configurations on your old firewall and they are not configured on the ASA firewall.
- Jouni
02-13-2013 01:06 PM
Thank you Jouni for your advice.
It seems it did not give enough explanation for what I really trying to achieve here.
We have software installed on a computer in our network and this one connects remote FTP servers which is not ours and just commercial FTP server accessible for everyone if you have access permission to retrieve files on it.
When I tried to connect the remote ftp server from one of our computers in our network, it can successfully login but when I try "ls" command, I got errors below.
500 illegal PORT command
425 use PORT or PASV first
I talked to the company hosting this FTP servers and they say this might be with the firewall access rules and since I am looking into this. They said I will need to open FTP protocol for inbound and outbound traffic for their remote servers.
The remote servers do not need to be initiate connection first with a computer inside the network but a computer inside of our network should be able to access the remote ftp servers and retreive all data required for the software to run.
I can connect this ftp servers and do "ls" to retrieve all files from another network without any issue.
Any advice would be appreciate.
02-13-2013 01:37 PM
Hi,
I havent had much problems with FTP connections through the ASA
I think the FTP inspection on the ASA handles the FTP connections.
Do you have the following configuration on the ASA?
policy-map global_policy
class inspection_default
inspect ftp
I can't see any policy-map configuration in your above copy/pasted configuration?
Some thread on the Internet simply state to give "passive" command on the FTP CLI.
- Jouni
02-14-2013 09:27 AM
Perfect. Creating inspection policy solved the issue.
02-14-2013 09:29 AM
Glad to hear that its working now
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide