Solved: Re: Figured out the issue...was a

d.cunliffe · ‎12-06-2016

I'm current being placed on a firewall which I've never touched prior. I'm looking to do a simple port inspection on this firewall which will do a connection on port 21 (ftp) and have the firewall inspect the traffic in the event it is passive or active.

The connection should go like this:

Client PC (Internal to network) -> Cisco ASA Firewall -> FTP Server.

So I've enabled an outbound rule which works for port 21 but the firewall is failing to inspect the connection and open the other outbound ports needed for the additional traffic. So I've reviewed the logs and it's blocking the additional packets. I've attempted to add global in the default inspection_default rule to inspect ftp and I have only one other class which is called class-default and it's also enabled in this section. But I'm still seeing port drops even after I've setup the rules on the inspection, so any help would be much appreciated.

Ajay Saini · ‎12-13-2016

Hello,

Can you please remove the inspect ftp from below part:

class class-default
user-statistics accounting
inspect ftp

We already have the default ftp inspection ON.

If it still does not work, please attach syslogs when initiating the ftp traffic.

Attach output of 'show service-policy' as well

Also, please ensure that ftp is using port 21 tcp for initial connection. The ftp which you are testing, is it passive ftp or active ftp?

-

AJ

View solution in original post

Ajay Saini · ‎12-12-2016

Hello,

Can you please share the output of 'show run policy-map' and 'show run service-policy'

As per description, looks like the inspection is not happening for the control traffic.

-

AJ

d.cunliffe · ‎12-12-2016

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
inspect ftp
policy-map global-policy
class global-class
inspect ftp
!

!

service-policy global_policy global

!

Ajay Saini · ‎12-13-2016

Hello,

Can you please remove the inspect ftp from below part:

class class-default
user-statistics accounting
inspect ftp

We already have the default ftp inspection ON.

If it still does not work, please attach syslogs when initiating the ftp traffic.

Attach output of 'show service-policy' as well

Also, please ensure that ftp is using port 21 tcp for initial connection. The ftp which you are testing, is it passive ftp or active ftp?

-

AJ

d.cunliffe · ‎12-13-2016

Thanks for your help, I'll be back on site Friday to get that information.

d.cunliffe · ‎12-29-2016

Figured out the issue...was a rather small item missed which I should have checked on my own. The FTP client was set to do TLS connection so the firewall couldn't inspect the traffic and open the appropriate ports. Thanks for your help.

vip0608 · ‎05-02-2018

what did you change in client?

i have similar issue

Florin Barhala · ‎05-03-2018

He might have just disabled FTP inspection from the firewall policy-map config.

CISCO ASA 5505 Outbound FTP Passive