Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
4
Replies

Connections initiated from an ASA 5508 firewall

phil96564
Level 1
Level 1

‎08-05-2022 01:27 AM

Hi all

I need to do a reimage of an SFR module running on an ASA 5508 and part of the process requires the ASA to have anonymous FTP access to an FTP server across the network. To ensure the FTP access is in place before starting the upgrade process I tested it by attempting the download of a text file, the result of which was "Error opening ftp://ftp_server_ip_address/test.txt (Permission denied)".

The anonymous user is setup ok in the ftp server and has a mount point of "/" associated with folder C:\Filezilla_Root and there are no firewalls between this firewall and the FTP server. The only thing I can think of now is that the connection is being blocked by itself. 

So the question is is are connections initiated from the ASA itself subject to its own firewall rules? I always thought not but any clarification would be appreciated.

Thanks

Phil.

0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎08-05-2022 01:35 AM

 

 - To verify you analysis  . check the logs of the FTP server (too) , when the ftp attempt is made , check if anything is reported in there (if needed and  or the ftp server supports it  ,then turn on debugging)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

MHM Cisco World
VIP
VIP

‎08-05-2022 04:21 AM - edited ‎08-05-2022 05:20 AM

https://www.oreilly.com/library/view/cisco-ios-cookbook/0596527225/ch01s07.html

read about Permission denied in this link. 

""Aborting the upgrade early in the process like this ensures that you don’t erase the flash unless there is a suitable replacement image available for download.""

0 Helpful

Marius Gunnerud
VIP
VIP

‎08-05-2022 05:12 AM

Usually the permission denied error indicates that the folder or file location requires authentication to access it.  Are you 100% sure that the file location does not require authentication?  and if this is a windows computer, have you made sure to turn off windows firewall or at least allow FTP connection in windows firewall?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Aref Alsouqi
VIP
VIP

‎08-05-2022 08:37 AM

The access list rules you configured on the firewall are only going to affect the transit traffic, not the traffic generated by the ASA itself. I agree with @Marius Gunnerud the issue seems to be related to the folder permissions on the FTP server. When you get the permissions error, it would mean the connection itself has been established, but there were no enough permissions to read from the remote folder.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card