Solved: Re: FTP issue through Firewall

Kevin Melton · ‎08-10-2011

Hello Forum

I have a very interesting problem at a client site this morning. Here is a summary of the problem in a nutshell.

This specific client has set up FTP to an FTP server in a DMZ at their Headquarters building. They have two Production servers that send FTP data to the box in the DMZ. The 1st of the two servers sending FTP data is located on the inside network (they use an ASA with a inside, outside, DMZ, WAN) and sends the FTP data into the box on the DMZ.

The 2nd of the two production servers is located across the WAN interface of the ASA.

The issue is as follows: Server 1 can perform all of its ftp commands correctly once it has connected to the FTP server in the DMZ. Server 2 can log into the FTP server and authenticate successfully, but when a "ls" command or and "dir" command is issued, there is no response (the contents of the root folder are not listed as they are when the same command is issued on the 1st server).

I have been running sniffer on the FTP server in the DMZ, but cannot tell from the traces what is wrong. I have a hard time beleiving that this may be an ACL issue, as if FTP was not allowed coming in from the WAN interface, then they would not have the ability to authenticate.

I am wondering if anyone has seen behavior like this before...

Thanks for any help or insight.

Kevin

mvsheik123 · ‎08-10-2011

Hi,

If everything looks normal from firewall end, I would look from server end. I had seen a scenario where an admin restricted user access to their FTP server.

hth

MS

View solution in original post

Anu M Chacko · ‎08-10-2011

Hi Kevin,

Could you check the NAT commands for the server? Also, verify if "inspect ftp" is enabled on the ASA.

Let me know.

Regards,

Anu

mvsheik123 · ‎08-10-2011

Hi,

If everything looks normal from firewall end, I would look from server end. I had seen a scenario where an admin restricted user access to their FTP server.

hth

MS

Kevin Melton · ‎08-10-2011

Sorry but THIS IS NOT THE CORRECT ANSWER. i SIMPLY HIT THE WRONG BUTTON.

We are definitely looking at things from the Server side. I have Wireshark installed and capturing all of the data. The

issue is that we are logging in using the same user account whether we are coming from Server 1 (which works fine) or Server 2 (which cannot do some of the FTP commands including LS and DIR. So at that point, it would not be the user being restricted, as it works from 1 of the 2 servers.

Kevin Melton · ‎08-10-2011

Hi Anu

I looked at our ASA to try and figure out if in fact the inspect commands were resident. We are running code 8.2.2, but it looks as if we are running the "inspect FTP" command.

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map global-policy

class inspection_default

I wasnt too concerned abou the NAT as I felt that if in fact I can get to the FTP box, and can authenticate to it, NAT has to be working properly. Otherwise I would not get that far. Correct me please if this is inaccurate.

Thanks