Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1577
Views
0
Helpful
5
Replies

FTP issue

lkadlik
Level 1
Level 1

ā€Ž09-01-2010 07:19 AM - edited ā€Ž03-11-2019 11:33 AM

I have a server on a dmz that can ftp a file using the web browser and you can connect to the ftp server via the command line.   However, when one of the developers tries to use a script to transfer the file it does not work.  Additionally, when you connect to the ftp server via the command line and try to run the ls command you receive an error message saying " 500 illegal port".

I know that ftp is allowed on the firewall and ftp is part of the default global inspection policy.  It looks like this is a PASV vs active issue.  However in windows it does not allow you to swtich to passive mode.

Other then opening up all high level ports for this connection , does anyone have a suggestion on what/ if anything I can do on the firewall?

thank you

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

ā€Ž09-01-2010 07:25 AM

Hi,

I'm not sure if this might help:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738

You can see what is the behavior of the normal default FTP inspection on the ASA and you can additionally create an FTP inspection map to specify different behavior.

Hope it helps.

Federico.

0 Helpful

praprama
Cisco Employee
Cisco Employee

ā€Ž09-01-2010 07:37 AM

Hey,

Could you provide details as to where is the client located with respect to the ASA and also IP address details of the ASA and the server along with the current ASA config (with altered IP addresses if needed)? We can go through that and see if we notice anything wrong on the ASA.

Thanks and Regards,

Prapanch

0 Helpful

lkadlik
Level 1
Level 1
In response to praprama

ā€Ž09-01-2010 08:33 AM

The client is on the dmz and can connect to the ftp server via the command line and transfer the file using a browser.

a.b.c.f is the ftp server

a.b.c.g is the client

The relevant parts of the config are as follows:

:

ASA Version 8.0(3)

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address a.b.c.d 255.255.255.0 standby a.b.c.e

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.20.30.2 255.255.255.0 standby 10.20.30.3

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/2.1

description LAN Failover Interface

vlan 28

!

interface GigabitEthernet0/2.2

description STATE Failover Interface

vlan 29

!

interface GigabitEthernet0/3

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.50.2 255.255.255.0 standby 192.168.50.3

!

interface Management0/0

shutdown

nameif managment

security-level 100

no ip address

!

same-security-traffic permit inter-interface

object-group network FTP

network-object host a.b.c.f

object-group service FTP_service

service-object tcp eq ftp-data

service-object tcp eq ftp

service-object tcp range 5500 5700

怀

access-list acl_Inside extended deny object-group Anonymous any object-group BlackList

access-list acl_Inside extended deny ip a.b.c.0 255.255.255.0 any

access-list acl_Inside extended deny ip 192.168.50.0 255.255.255.0 any

access-list acl_Inside extended deny ip host 255.255.255.255 any

access-list acl_Inside extended deny ip 127.0.0.0 255.0.0.0 any

access-list acl_Inside extended permit ip any any

access-list acl_DMZ extended permit tcp host 192.168.50.51 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.246 eq smtp

access-list acl_DMZ extended deny ip 192.168.50.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list acl_DMZ extended permit ip 192.168.50.0 255.255.255.0 any

access-list acl_Outside extended permit object-group FTP_service any object-group FTP

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu managment 1500

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

怀

static (inside,outside) a.b.c.f 10.20.30.55 netmask 255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102 netmask 255.255.255.255

access-group acl_Outside in interface outside

access-group acl_Inside in interface inside

access-group acl_DMZ in interface dmz

!

!

policy-map Global_Policy

description Global Policy for Traffic Inspection

class Inspection_Default

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect ipsec-pass-thru

inspect mgcp

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect snmp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

!

service-policy Global_Policy global

prompt hostname context

Cryptochecksum:fd174eacd4f91d6b5b3ef484f5365abe

: end

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to lkadlik

ā€Ž09-01-2010 08:40 AM

Hi,

You have mentioned that both the client and the serve rare on the DMZ. But in the config i see the below 2 static commands redircting a.b.c.f (server) and a.b.c.g (client) to the inside interface.

static (inside,outside) a.b.c.f 10.20.30.55 netmask  255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102  netmask 255.255.255.255

I am not quite sure about the topology yet. Could you clarify things a little bit more here?

Regards,

Prapanch

0 Helpful

lkadlik
Level 1
Level 1
In response to lkadlik

ā€Ž09-01-2010 02:47 PM

It looks like this might be a barracuda issue.  Thank you for taking the time to respond to me

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card