05-02-2012 01:37 PM - edited 03-11-2019 04:01 PM
I setup a FTP Server and i can connect from the inside fine but from the outside i can not connect in passive mode. I can in regular ftp or ssh.
Here is the log from filezilla
Status: Resolving address of domain.com
Status: Connecting to ExternalIP:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
Response: 220-220-Welcome to Cerberus FTP Server
Response: 220 220 Created by Cerberus, LLC
Command: USER test
Response: 331 User test, password please
Command: PASS ***********
Response: 230 Password Ok, User logged in
Command: CLNT FileZilla
Response: 200 Command okay
Command: OPTS UTF8 ON
Response: 220 UTF8 support on
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 PROT P OK, data channel will be secured
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type Binary
Command: PASV
Response: 227 Entering Passive Mode (external IP,195,83)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group att
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service FTP_PASV_Ports tcp
description Passive Ports
port-object range 35000 35999
object-group service FTPS tcp
description FTPS
port-object eq 990
access-list outside_access_in extended permit tcp any any object-group RDP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in remark passive FTP port range
access-list outside_access_in extended permit tcp any host server object-group FTP_PASV_Ports
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any object-group FTPS
access-list outside_access_in extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface https server https netmask 255.255.255.255
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface ftp server ftp netmask 255.255.255.255
static (inside,outside) tcp interface ssh server ssh netmask 255.255.255.255
static (inside,outside) tcp interface 990 server 990 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data server ftp-data netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group att request dialout pppoe
vpdn group att localname @static.sbcglobal.net
vpdn group att ppp authentication pap
vpdn username @static.sbcglobal.net password *********
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password rcuFiQnIXLd encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ecb5356a2f5e680b
: end
I am programing the router with ASDM so if you could tell me what i need to do from the GUI to fix this.
05-02-2012 07:52 PM
Dan,
Looking at the output,
Status: Resolving address of domain.com
Status: Connecting to ExternalIP:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
This looks like FTPS which is not supported on the ASA. You can workaround it by trying to connect using Active mode from the outside instead of PSV.
You can find more info here:
https://supportforums.cisco.com/docs/DOC-23206
Mike
05-07-2012 09:49 AM
i opened ftp-data port 20 and same issue even if i setup filezilla client to connect via active mode. Any other suggestions. I can only connect to regular FTP or SSH but i would like to connect via FTPS
05-07-2012 04:33 PM
Can you place a capture on the server itself when trying to connect on active mode?
Mike
05-08-2012 08:50 AM
what should i put in the capture filter or should i capture everything?
05-08-2012 08:55 AM
Dan,
Port 20 between the server and client will do it.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide