Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1462
Views
0
Helpful
1
Replies

Cannot connect to remote Active FTP Server - ASA 5505

jasonhammer30
Level 1
Level 1

‎02-05-2014 07:51 AM - edited ‎03-11-2019 08:40 PM

Hi,

I have a problem that my local network cannot connect to a remote active FTP server.  Here is the log while connecting to FTP server

Status:          Connecting to 66.194.X.X:21...

Status:          Connection established, waiting for welcome message...

Response:          220 BSS, LLC

Command:          USER 13ftpsan

Response:          331 Password required for XXXXXX

Command:          PASS *******

Response:          230 Logged on

Command:          SYST

Response:          215 XXXXXXXXXXXXXXXXXXXXXXXXXX

Command:          FEAT

Response:          500 Invalid command.

Status:          Server does not support non-ASCII characters.

Status:          Connected

Status:          Retrieving directory listing...

Command:          PWD

Response:          257 "/" is current directory.

Command:          TYPE I

Response:          200 Type set to I

Command:          PORT 192,1,2,3,7,239

Response:          200 Port command successful

Command:          LIST

Response:          150 Opening data channel for directory list.

I have verified that it is an issue with the ASA 5505 firewall as I can connect from my a different network to the FTP server just fine.

I have made sure the inspect FTP is enable in the ASA 5505

Here is my config :

ASA Version 8.2(5)

!

hostname asafirewall

domain-name ciscoasa.com

enable password XXXXXXXX

passwd XXXXX

names

name 192.168.1.0 court

name 192.1.2.5 DC description 192.1.2.5

name 71.41.X.X Rescue_Mail description Rescue Mail

name 192.1.2.25 WkSta26 description WkSta26

name 192.1.2.2 Appserver

name 192.1.2.3 Dataserver

name 192.1.2.39 MS

name 192.1.2.50 VC

name 192.1.2.4 Printserver

name 12.X.X.X Public-IP description Public IP

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.1.2.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Public-IP 255.255.255.240

!

ftp mode passive

dns server-group DefaultDNS

domain-name ciscoasa.com

object-group service Alt-RDP tcp

description Alt-RDP-53424

port-object eq 53424

object-group service ALT-RDP-53434 tcp

description ALT RDP 53434

port-object eq 53434

object-group service ALT-RDP-53444 tcp

description 53444

port-object eq 53444

object-group service ALT-RDP-53454 tcp

description 53454

port-object eq 53454

object-group service ALT-RDP-53464 tcp

description 53464

port-object eq 53464

object-group service ALT-RDP-53474 tcp

description 53474

port-object eq 53474

object-group service ALT-RDP-53484 tcp

port-object eq 53484

object-group service FTP2 tcp

port-object eq 6

object-group service FTP3 udp

port-object eq 17

access-list outside_cryptomap_20 extended permit ip 192.1.2.0 255.255.255.0 court 255.255.255.0

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply

access-list mail_access_in extended permit tcp host Rescue_Mail host Public-IP eq smtp

access-list mail_access_in extended permit tcp any host Public-IP eq www

access-list mail_access_in extended permit tcp any host Public-IP eq https

access-list mail_access_in extended permit tcp any host Public-IP eq 465

access-list mail_access_in extended permit tcp any host Public-IP eq imap4

access-list mail_access_in extended permit tcp any host Public-IP eq 3101

access-list mail_access_in extended permit tcp host Rescue_Mail interface outside eq ldap

access-list mail_access_in extended permit tcp any interface outside object-group Alt-RDP

access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53434

access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53444

access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53454

access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53464

access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53474

access-list mail_access_in extended permit tcp any interface outside object-group ALT-RDP-53484

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.1.2.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ldap DC ldap netmask 255.255.255.255

static (inside,outside) tcp interface 53424 DC 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 53434 192.1.2.7 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 53474 Appserver 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 53464 Dataserver 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 53454 VC 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 53444 MS 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 53484 Printserver 3389 netmask 255.255.255.255

static (inside,outside) interface 192.1.2.7 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group mail_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 12.217.156.113 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http server idle-timeout 40

http 192.1.2.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 99.8.X.X

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 15

ssh timeout 15

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

username admin password XXXXX

username jason password XXXXX

tunnel-group 99.8.X.X type ipsec-l2l

tunnel-group 99.8.X.X ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

description Inspect Policy 2

class inspection_default

  inspect dns preset_dns_map

  inspect esmtp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect ftp strict

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:XXXXXXX

: end

Any help is greatly appreciated!

Cheers,

Jason

Labels:
0 Helpful
1 Reply 1

jasonhammer30
Level 1
Level 1

‎02-05-2014 08:02 AM

I have also tried inspect FTP (without strict)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card