Hi Brian,

Yes, please send the config and we'll take a look.

Cheers,

Eloy Paris.-

Hi Brian,

Assuming that the FTP server is at 192.168.61.248 on the private network and at 1.2.97.35 on the public Internet this configuration looks fine to me.

The key statements are:

access-list INBOUND extended permit tcp any host 1.2.97.35 eq ftp

access-group INBOUND in interface outside

access-list OUTBOUND extended permit ip any any

access-group OUTBOUND in interface inside

static (inside,outside) 1.2.97.35 192.168.61.248 netmask 255.255.255.255

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

service-policy global_policy global

David (cisco24x7) and I are still investigating an issue he's found when FTP inspection is disabled (no fixup protocol ftp 21) and NAT is enabled, but this is not your case because you have FTP inspection enabled.

So, since the configuration looks good, could you describe what the problem is? Any error messages that you can see on the ASA and/or on the FTP clients? Does any of the two FTP transfer methods (passive or active) work at all? Do other services offered by that server (RDP, HTTPS, SSH) work fine?

Cheers,

Eloy Paris.-

I will get you the ASA 5505 log as soon as I can. Here is an attached file with all of the FTP logs.

PS: I'm about to test out the FTP server in the DMZ with ports 1024+ opened up. I've asked a few times, without a response, is that a security no no? Is that a bad idea?

Eloy is a great guy and one Smart dude.

If you have "fixup protocol ftp 21" enable or

"inspect ftp" enable in the ASA configuration,

you do NOT need to open 1024+ tcp ports on the

firewall. That's a security risk. This is

a BAD idea. In other words, a security no no.

Ya'll are a great bunch of Guru's! Thanks again for the help.

David (cisco24x7) is the man - we talked this morning and I finally understood what was the problem with NAT and "no fixup protocol 21" with passive FTP.

The bottom line is that cisco24x7 is right - when doing NAT and no FTP protocol inspection, passive FTP won't work, unless you use an FTP client that violates the RFCs (happened to me, and I told cisco24x7: "what are you talking about; it works great for me!". But I think this is a bug although I am sure the people that wrote this FTP client see this as a feature.)

Agreed with the comment about opening ports >= 1024. I wouldn't even do it for a quick 5 minute test, and also it's not necessary if FTP protocol inspection is enabled since the firewall will open the exact ports that need to be open.

Cheers,

Eloy Paris.-

Hi Brian,

I went through the log file you sent but I am afraid I still can't figure out what is causing the problem.

For the passive FTP part of the log I see:

(client) 12:43:20 Command: PASV

(server) 14:11:55 - (010199) 227 Entering Passive Mode (1,2,97,35,195,97)

[the client doesn't seem to see this]

(server) 14:11:55 - (010199) Closed session

[don't know why the session is closed right away]

(client) 12:43:41 Error: Connection timed out

It seems that the problem here is that client is not seeing the response to the PASV command.

The best way to troubleshoot this is to obtain packet captures on the inside and outside interfaces of the ASA. That's actually very easy to setup but requires priv15 (enable) access to the ASA.

For the Secure FTP part of the log, the following entry in the server log is suspicious:

14:08:50 - (010197) Unable to open private key file:

For the rest of the log file - I have no idea what "implicit active/passive" and "explicit active/passive" are. I see some work and some don't, but I can't comment on this since I don't know what these "implicit" modes are. First time I hear of them.

With regards to your question about opening port >= 1024, yes, as cisco24x7 said, it's a bad idea. The idea of a stateful firewall is that ports are dynamically opened based on the needs of the sessions/traffic going through the firewall. In the case of FTP traffic, if "inspect ftp" is enabled then the firewall will automatically open the required ports to allow traffic from the outside to come in based on the PORT command and on the response to the PASV command.

Back to the original issue, I think that to effectively diagnose the problem with need the following:

- Logs from the ASA (I'd start at level 5)

- Packet capture on inside and outside interfaces

Finally, a dumb question: have you tested passive connections to the FTP server with a client right next to the server, i.e. not going through the firewall? Just to be sure there are no problems with the server itself...

Any advice on setting up the logging on the ASA 5505?

This what we have:

logging enable

logging buffered debugging

logging asdm informational

logging host dmz 192.168.63.40

I've set up Kiwi on 192.168.63.40, which is in the DMZ on a temp basis, but I'm not seeing anything come through.

Passive works internally, fyi. Good point tho!

Let's put the SSH/SSL on hold until we sort out Passive FTP.

I tried a new temp FTP server in the DMZ today with ALL incoming ports 1-65535 opened up (and windows firewall off)... still couldn't get passive to work.

I've configured a packet sniffer on the FTP Server which has given me the attached info.

I also installed a packet sniffer on the outside desktop attempting passive ftp with those results in the attachment as well.

Is there anywhere else you'd like the sniffer? I'm not sure how to configure it between the cisco and the fiber.

I'm still working on getting the Syslog running correctly. Any help on that would be great as well... I have kiwi up and running, but I'm not seeing traffic from my remote IP trying to passive ftp.

Hi Brian,

In the two captures in the file you attached I don't see the client entering passive mode, i.e. I see the PORT command instead of the PASV command. Were both session unsuccessful or just one of them?

It would be best to use the capture command on the ASA to do the packet capture, instead of external sniffers.

Regarding the logging part, to send logging messages to a host running a syslog server (like kiwi), the minimum commands are:

logging enable

logging host

logging trap

For logging level I would start with level 6 (informational)

Feel free to email me at elparis@cisco.com if you have any questions. We can summarize our findings later for the benefit of others reading the forum.

Cheers,

Eloy Paris.-

I think I have the syslog working now...

2008-08-08 16:31:39 Local4.Info 10.10.10.1 %ASA-6-302013: Built inbound TCP connection 2039746 for outside:24.24.24.24/1464 (24.24.24.24/1464) to dmz:10.10.10.2/21 (50.50.50.50/21)

2008-08-08 16:31:40 Local4.Warning 10.10.10.1 %ASA-4-406002: FTP port command different address: 10.10.10.2(50.50.50.49) to 24.24.24.24 on interface dmz

2008-08-08 16:31:40 Local4.Info 10.10.10.1 %ASA-6-302014: Teardown TCP connection 2039746 for outside:24.24.24.24/1464 to dmz:10.10.10.2/21 duration 0:00:00 bytes 232 Flow closed by inspection

2008-08-08 16:31:41 Local4.Info 10.10.10.1 %ASA-6-106015: Deny TCP (no connection) from 24.24.24.24/1464 to 50.50.50.50/21 flags PSH ACK on interface outside

2008-08-08 16:31:44 Local4.Info 10.10.10.1 %ASA-6-106015: Deny TCP (no connection) from 24.24.24.24/1464 to 50.50.50.50/21 flags PSH ACK on interface outside

2008-08-08 16:31:49 Local4.Info 10.10.10.1 %ASA-6-106015: Deny TCP (no connection) from 24.24.24.24/1464 to 50.50.50.50/21 flags PSH ACK on interface outside

2008-08-08 16:32:01 Local4.Info 10.10.10.1 %ASA-6-106015: Deny TCP (no connection) from 24.24.24.24/1464 to 50.50.50.50/21 flags RST ACK on interface outside

this message:

%ASA-4-406002: FTP port command different address: 10.10.10.2(50.50.50.49) to 24.24.24.24 on interface dmz

looks suspicious.

This is the explanation for this message:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4773005

This seems to indicate that the client is behind NAT but not the entire packet is getting rewritten by the NAT device.

I am a little lost with the topology. Could you draw what you have, including IP addresses?

Cheers,

Eloy Paris.-

By removing Inspect FTP, things started working in Passive mode. I could've swore I tried taking out that statement once before and testing, but I must not have. It's as if Inspect FTP blocks the PASV command from passing through. This all seems to defeat the purpose of Inspect FTP, doesn't it? Thanks again to everyone who spent time on this. It's refreshing to see a community of people who actually want to help others. THANKS!!!