03-03-2014 05:05 AM - edited 03-11-2019 08:52 PM
Hello,
I am looking for help regarding to FTP connection to external FTP server. Client computer is located behind Cisco Firewall and FTP resides in ISP server. So the problem is connecting from our internal network to external networks FTP server.I can open FTP connection to server but whenever I try to transfer data, I get 425 error. Probably another stupid mistake, but I cannot identify the problem correctly. I am using Service-policy which is inspecting FTP protocol. My guess is that this is related to NAT. I have debugged and looked at TCP translation and this one is made from my(client) computer to external FTP server.
Attached configuration file.
X.X.X.X reffers to our public IP.
TCP translations regarding FTP connection :
%ASA-6-302303: Built TCP state-bypass connection 50120 from Outside:194.126.124.166/21 (194.126.124.166/21) to Inside:192.168.0.94/14327 (X.X.X.X /14327)
03-03-2014 07:58 AM
Hi!
Well your problem is right there. Since there is a TCP state bypass connection being build for this, that means that the inspection is not going to work (if active ftp is being used)
Is there an specific reason why u have this turned on? Have u try a PSV ftp connection?
Mike
Sent from Cisco Technical Support Android App
03-03-2014 09:40 AM
try this command.
no fixup protocol ftp 21
this is an ancient pix command that still works on my ASA 5520, this command uninspect the ftp traffic and would enable the DATA passing thru the ASA, remember that FTP is the only protocol that does not use OSI model to transfer (due the lack of knowledge of the Programing skills on the coder of FTP Protocol).
then you had 2 TCP ports (TCP-20 - for data, TCP-21 for control) and you might be using 2 of the formats of comunicating with the server (ACTIVE or PASSIVE).
if you'll using Passive (PASV command), then requires to create an dynamic port to receive the traffic comming from outside, and if you had enabled the inspect for protocol, you could find some troubles to get this done.
so try this and tell us how is going on.
best regards, had a great day, and please rate if you'll find this post useful
03-03-2014 11:06 AM
You do not EVER remove the FTP inspection if you are going through NAT and an ASA firewall.
Depending on the scenario (In this case the client inside the firewall) Active FTP will never EVER work. You will need to have a static translation for every client and allowing traffic statically to those clients on the inside network.
You ask to disable the FTP inspection? If you take a look at the log, a TCP state bypass session is created. It means that all inspections are being bypassed at this point inclunding the FTP one.
Check why the Bypass is configured and exclude the FTP traffic so the FTP inspection engine can work, I assure you that is the problem.
Mike
03-04-2014 02:47 AM
Unfortunately we have to use tcp bypass because of our different outlets which are connected using VPN by our ISP.
Anyways, I tried making NAT rules
nat (Outside,Inside) source static la02.neti.ee interface destination static MyCompany MyCompany service FTPActive2 FTPActive2
nat (Outside,Inside) source static la02.neti.ee interface destination static MyCompany MyCompany service FTPActive FTPActive
FTPActive - Sport 20 - Dport any
FTPActive - Sport 21 - Dport any
First I used Windows explorer to connect FTP serve. I can connect and transfer files but problem is related to Windows command line utility which cannot establish data connection. I can connect, login to FTP but unable to transfer file, list directory etc..
No fixup protocol did not give any effect at all.
Thank you for help so far.
03-04-2014 09:52 AM
Hi;
Well you need to take out the FTP traffic from your bypass list. Do the following
access-list Internal line 1 deny tcp host 192.168.0.94 host 194.126.124.166
Make sure that the inspection is there and try the connection again from 192.168.0.94.
If it works you may need to do this for the rest of the subnets when going only to that destination.
To be honest given the fact that you have everything with TCP state bypass, I would have use a Router rather than the ASA, because you are killing its best features by putting the bypass.
Mike
03-14-2014 03:42 AM
Hi,
This did not make any difference as far as I can see. Any more things to try?
Thanks!
03-03-2014 08:18 PM
Hi,
i think if u are using Active FTP: then you need to open the port 20 access from Outside to inside network....
FTP inspection is required in case of Passive FTP , for opening of dynamically ports automatically
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide