pkampana wrote:
It seems the data channel fails.
You are probably not translating the high data channel port active ftp would use. What does the "debug ftp" show you? And logs on the ASA?
PK

pkampana, thanks for your response.

"deb ftp" from command line as in deb ftp client does not show anything, the logs on the asa (syslog) show no "deny's", se below:

Hmmm, seems I can't cut'n paste into this editor, se attached file for logs.

Thanks

hkl

6          Nov 04 2010      07:06:54                        85.95.45.106     39154   192.168.1.50     20         Built inbound TCP connection 64482 for outside:85.95.45.106/39154 (85.95.45.106/39154) to inside:192.168.1.50/20 (62.89.40.36/20)

6          Nov 04 2010      07:06:53                        85.95.45.106     57354   192.168.1.50     21         Built inbound TCP connection 64481 for outside:85.95.45.106/57354 (85.95.45.106/57354) to inside:192.168.1.50/21 (62.89.40.36/21)

tell me that control and data connections are allowed. The problem probably resides somewhere else.

Do a capture on the ASA inside "capture capin interface inside match ip host 192.168.1.50 host 85.95.45.106", try the transfer and look at the packets "sh cap capin".

I hope it helps.

PK

pkampana wrote:
6          Nov 04 2010      07:06:54                        85.95.45.106     39154   192.168.1.50     20         Built inbound TCP connection 64482 for outside:85.95.45.106/39154 (85.95.45.106/39154) to inside:192.168.1.50/20 (62.89.40.36/20)
6          Nov 04 2010      07:06:53                        85.95.45.106     57354   192.168.1.50     21         Built inbound TCP connection 64481 for outside:85.95.45.106/57354 (85.95.45.106/57354) to inside:192.168.1.50/21 (62.89.40.36/21)
tell me that control and data connections are allowed. The problem probably resides somewhere else.
Do a capture on the ASA inside "capture capin interface inside match ip host 192.168.1.50 host 85.95.45.106", try the transfer and look at the packets "sh cap capin". 
I hope it helps.
PK

Hello again

Been away for some days, so looking back into this problem now.

See attached file for result of the capture, bit above my head, so much appreciated if you could advice.

br

hkl

This is active ftp with client on the outside. If you allow tcp 20 and 21 on the outside acl it should work without ftp inspection.

I would remove this server 192.168.1.50 temporarily and use a laptop or other PC with the same ip address 192.168.1.50 and install filezilla server on it. And see if it works.

You can get filezilla here: http://filezilla-project.org/download.php?type=server

Make sure it is set to active ftp. Verify here: http://support.tigertech.net/filezilla-passive

-KS

kusankar wrote:
This is active ftp with client on the outside. If you allow tcp 20 and 21 on the outside acl it should work without ftp inspection.
I would remove this server 192.168.1.50 temporarily and use a laptop or other PC with the same ip address 192.168.1.50 and install filezilla server on it. And see if it works.
You can get filezilla here: http://filezilla-project.org/download.php?type=server
Make sure it is set to active ftp. Verify here: http://support.tigertech.net/filezilla-passive
-KS

Hello and thanks for the responce.

Port 20 and 21 is alowed. I tried to change the server to a vsftpd running on a linux, same result.

Seems that the link to set active/passive ftp in FileZilla is for the client not the server, the server options intf does not have a "tab" for active/passive.

hkl

mayrojas wrote:
Hello,
Mike here, What type of FTP server are you running? Is it passive or active? On the show service policy, do you see the FTP inspection having any kind of drops?
Let me know.
Cheers
Mike

Hello Mike

Thanks for your responce.

Hello mike, thanks for your response.

I'm running a FileZilla server 0.9.37 (btw: everything worked fine before the upgrade to 8.3) Not really sure if the server is passive or active, there are only two settings in for passive mode in the server, defining external IP, and also specifying a custom port range.

anubis(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!

anubis(config)# sh service-policy global

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 1079, drop 0, reset-drop 0
      Inspect: ftp, packet 470, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 49, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
anubis(config)#

Hello Kristian,

Do you think that you can do the same capture that Panos Asked you on the outside, download them in pcap format and send them here? The only difference would be that instead of the private IP you will use the public IP of the server. Capture both sides inside and outside.

In order to download them, the only thing that you need to do is enable the http server on the ASA (HTTP server enable) and put the following URL on the web browser

https:///capture//pcap

For me, it seems like the data channel is not going out, take a look at this

  41: 08:02:48.680201 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535

  44: 08:02:51.654629 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535
  45: 08:02:57.691660 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535

Is the Data channel that the server is trying to open.

Let me know if you are able to download the captures of if you need further explanation of how to do it.

Thanks.

Thanks for helping me out here.

Attached 2 files

capture capout interface outside match ip host 62.89.40.36 host 85.95.45.106 (pcap)

capture capin interface inside match ip host 62.89.40.36 host 85.95.45.106 (pcap(2))

Hope this is the right cptures you look for.

Again, thanks

hkl

Oops

Seems that only one file was attached, heres the next.

hkl

Mike

I'm going to hang myself untill it realy hurts.

Your last post got me on the right track, I've already testet other ftp clients, but from the same client machine. So I logged into a Linux server I have lokated externaluy, and it worked fine.

Had to think a bit and realised I HATE WINDOWS FIREWALL, turned it of on the client machine and we are all set.

Thanks a lot to all of you who have wasted time on my stupidity.

hkl

Hopfully I learned something in the process.

Hello,

Hehehhehehehe Yay! At least we had it working .... Next time you wont forget... It was a pleasure helping you....

Cheers.

Mike.