02-05-2014 07:51 AM - edited 03-11-2019 08:40 PM
Hi,
I have a problem that my local network cannot connect to a remote active FTP server. Here is the log while connecting to FTP server
Status: Connecting to 66.194.X.X:21...
Status: Connection established, waiting for welcome message...
Response: 220 BSS, LLC
Command: USER 13ftpsan
Response: 331 Password required for XXXXXX
Command: PASS *******
Response: 230 Logged on
Command: SYST
Response: 215 XXXXXXXXXXXXXXXXXXXXXXXXXX
Command: FEAT
Response: 500 Invalid command.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PORT 192,1,2,3,7,239
Response: 200 Port command successful
Command: LIST
Response: 150 Opening data channel for directory list.
I have verified that it is an issue with the ASA 5505 firewall as I can connect from my a different network to the FTP server just fine.
I have made sure the inspect FTP is enable in the ASA 5505
Here is my config :
ASA Version 8.2(5)
!
hostname asafirewall
domain-name ciscoasa.com
enable password XXXXXXXX
passwd XXXXX
names
name 192.168.1.0 court
name 192.1.2.5 DC description 192.1.2.5
name 71.41.X.X Rescue_Mail description Rescue Mail
name 192.1.2.25 WkSta26 description WkSta26
name 192.1.2.2 Appserver
name 192.1.2.3 Dataserver
name 192.1.2.39 MS
name 192.1.2.50 VC
name 192.1.2.4 Printserver
name 12.X.X.X Public-IP description Public IP
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.1.2.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Public-IP 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
domain-name ciscoasa.com
object-group service Alt-RDP tcp
description Alt-RDP-53424
port-object eq 53424
object-group service ALT-RDP-53434 tcp
description ALT RDP 53434
port-object eq 53434
object-group service ALT-RDP-53444 tcp
description 53444
port-object eq 53444
object-group service ALT-RDP-53454 tcp
description 53454
port-object eq 53454
object-group service ALT-RDP-53464 tcp
description 53464
port-object eq 53464
object-group service ALT-RDP-53474 tcp
description 53474
port-object eq 53474
object-group service ALT-RDP-53484 tcp
port-object eq 53484
object-group service FTP2 tcp
port-object eq 6
object-group service FTP3 udp
port-object eq 17
access-list outside_cryptomap_20 extended permit ip 192.1.2.0 255.255.255.0 court 255.255.255.0
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list mail_access_in extended permit tcp host Rescue_Mail host Public-IP eq smtp
access-list mail_access_in extended permit tcp any host Public-IP eq www
access-list mail_access_in extended permit tcp any host Public-IP eq https
access-list mail_access_in extended permit tcp any host Public-IP eq 465
access-list mail_access_in extended permit tcp any host Public-IP eq imap4
access-list mail_access_in extended permit tcp any host Public-IP eq 3101
access-list mail_access_in extended permit tcp host Rescue_Mail interface outside eq ldap
access-list mail_access_in extended permit tcp any interface outside object-group Alt-RDP
access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53434
access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53444
access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53454
access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53464
access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53474
access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53484
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ldap DC ldap netmask 255.255.255.255
static (inside,outside) tcp interface 53424 DC 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 53434 192.1.2.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 53474 Appserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 53464 Dataserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 53454 VC 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 53444 MS 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 53484 Printserver 3389 netmask 255.255.255.255
static (inside,outside) interface 192.1.2.7 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group mail_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.217.156.113 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http server idle-timeout 40
http 192.1.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 99.8.X.X
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 15
ssh timeout 15
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
username admin password XXXXX
username jason password XXXXX
tunnel-group 99.8.X.X type ipsec-l2l
tunnel-group 99.8.X.X ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description Inspect Policy 2
class inspection_default
inspect dns preset_dns_map
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect http
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect ftp strict
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:XXXXXXX
: end
Any help is greatly appreciated!
Cheers,
Jason
02-05-2014 08:02 AM
I have also tried inspect FTP (without strict)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide