Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2066
Views
0
Helpful
10
Replies

Downloading IOS via FTP through ASA5512 not working

abideen.shaikh
Level 1
Level 1

‎07-14-2022 06:53 AM

Hi All,

I am trying to download IOS image in to ASA firewall . There is a OOB ASA firewall connection is traversing through to the FTP server.

When I am running a capture on the OOB ASA getting below captures

480: 12:30:05.219059 802.1Q vlan#xx8 P0 xx.xx.xx.35.5296 > xx.xx.xx.135.21: S 2607808118:2607808118(0) win 32768 <mss 1460,nop,nop,timestamp 3600727312 0>
482: 12:30:08.248293 802.1Q vlan#xx8 P0 xx.xx.xx.35.5296 > xx.xx.xx.135.21: S 2607808118:2607808118(0) win 32768 <mss 1460,nop,nop,timestamp 3600730343 0>
483: 12:30:14.267655 802.1Q vlan#xx8 P0 xx.xx.xx.35.5296 > xx.xx.xx.135.21: S 2607808118:2607808118(0) win 32768 <mss 1460,nop,nop,timestamp 3600736366 0>

I have policies in place on the OOB firewall and packet tracer is simulating allow as well.

I am able to ping the FTP server. From FTP server i can SSH to the device.

Please help me in troubleshooting this issue further.

xx.xx.xx.135 is the FTP server
xx.xx.xx.35 is the Firewall from where I am trying to download ios.

Below is the output from packet tracer.

input-interface: oob
input-status: up
input-line-status: up
output-interface: dcmgmt
output-status: up
output-line-status: up
Action: allow

Connection is getting out of the firewall hitting OOB firewall but seems like never leaving OOB firewall can not see any hits on the FTP server after running the wireshark.

Regards 

0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎07-14-2022 07:02 AM

FTP need inspection to allow pass ASA, are you config inspection FTP ?

0 Helpful

abideen.shaikh
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2022 08:05 AM

Hi,

On the source ASA and on the OOB ASA on both of them below is enabled .

ftp mode passive 

policy-map global_policy
class inspection_default

inspect ftp

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-14-2022 08:35 AM

how does your network looks like as you mentioned

 

ASA ---(another FW) --FTP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

abideen.shaikh
Level 1
Level 1
In response to balaji.bandi

‎07-14-2022 08:53 AM

Source ASA (xx.xx.xx.35) --- OOB ASA (xx.xx.xx.20)--- FTP (xx.xx.xx.135).

Thats correct 

0 Helpful

MHM Cisco World
VIP
VIP
In response to abideen.shaikh

‎07-14-2022 08:59 AM

according to your network you need to port forwarding in OOB ASA for FTP port.
otherwise the OOB will change the por.t if there is dynamic NAT.

0 Helpful

abideen.shaikh
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2022 02:11 PM

Thanks for sharing could you please share the command so ill try configuring port forwarding.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to abideen.shaikh

‎07-14-2022 09:01 AM

easy method, Grab a USB stick and connect to ASA, (since this is one time requirement).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

abideen.shaikh
Level 1
Level 1
In response to balaji.bandi

‎07-14-2022 02:09 PM

Hey Balaji this is not one time there are several ASAs connected this way if we manage to get this one working then we can draft a procedure to upgrade all the ASAs as and when required.

0 Helpful

abideen.shaikh
Level 1
Level 1
In response to balaji.bandi

‎07-14-2022 02:21 PM

Is there a way to establish it is not being dropped the OOB or source firewall itself.  I have shared a capture in the initial message.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card