Re: FTP outbound session is being dropped by ASA

francisco del cura ferreira · ‎12-14-2010

Hi all

I'm facing a problem when a internal PC (172.16.0.21) tries to connect with a external FTP server. The PC is located on interface called 'intranet' and the external server (ftp.nai.com->32.58.48.237) in outside (interface called 'diba').

I've configured a static NAT for this connection (with sh xlate I can see the NAT is doing ok):

static (intranet,diba) 217.124.X.X 172.16.0.21 netmask 255.255.255.255

...and an access-list allowing the traffic

access-list intranet extended permit tcp any any eq ftp

If I do a simulation with packet tracer command the result is ALLOW but when the FTP is launched the ASA drops the packet. I know it because of I launched two capture commands, one for intranet interface and the other for diba interface. I can see how the packets arrive to ASA but they don't appear on diba interface:

CAPTURE ON INTRANET INTERFACE

1: 12:53:01.970469 172.16.0.21.33217 > 32.58.159.237.21: S 2341848529:2341848529(0) win 5840 <mss 1460,sackOK,timestamp 1268734986 0,nop,wscale 2>
   2: 12:53:04.966731 172.16.0.21.33217 > 32.58.159.237.21: S 2341848529:2341848529(0) win 5840 <mss 1460,sackOK,timestamp 1268735736 0,nop,wscale 2>
   3: 12:53:10.967509 172.16.0.21.33217 > 32.58.159.237.21: S 2341848529:2341848529(0) win 5840 <mss 1460,sackOK,timestamp 1268737236 0,nop,wscale 2>
   4: 12:53:22.969081 172.16.0.21.33217 > 32.58.159.237.21: S 2341848529:2341848529(0) win 5840 <mss 1460,sackOK,timestamp 1268740236 0,nop,wscale 2>
   5: 12:53:46.972224 172.16.0.21.33217 > 32.58.159.237.21: S 2341848529:2341848529(0) win 5840 <mss 1460,sackOK,timestamp 1268746236 0,nop,wscale 2>

The SYN packet arrives on ASA but no packets on capture in diba interface. The FTP inspect is enabled on global policy map.

Any idea?.

Many thanks,

Francisco

Federico Coto Fajardo · ‎12-14-2010

Hi,

Can you run two tests?

1. Disable FTP inspection and permit IP between those two IPs (just to check if the inspection is dropping the packets).
2. Is it passive or active FTP? Can you try both?

Federico.

Maykol Rojas · ‎12-14-2010

Hello Francisco,

Thanks for posting, can you do the same capture but with the keyword "trace" at the end of the capture? Also, can you paste the result of the packet tracer command?

Thanks.

Mike

francisco del cura ferreira · ‎12-14-2010

Thanks for your reply.

@Maykol, right now I can't launch the capture, I'll do it tomorrow. I attach the output of packet tracer command.

@Federico, I'll disable the FTP inspect and how can I to try the both types of FTP from the PC?.

Thanks again

Federico Coto Fajardo · ‎12-14-2010

Francisco,

I was suggesting to disable the FTP inspection and open the required ports (or IP for that matter) to make sure the inspection is not dropping the FTP packets for some reason.

If you're using a browser for your FTP session, you can configure the browser for passive or active FTP.

The reason is that depending on the FTP mode, the behavior is different... ie using passive mode both connections are initiated from the client, using active mode, the data comes initiated from the server.

Federico.

Maykol Rojas · ‎12-14-2010

Hello,

If you try with the CMD it will be active, if you try with the web browser it will be passive. I think that since we see only SYN packets the connection wont be created, so trying different types of FTP wont cause any difference.

When you set the capture, please set another capture of ASP drop,

capture asp type asp-drop all,

Check if any packets belongs to the connection you are doing, also, if you can get the logs when the connection is being done, it would be great.

Thank you.

Mike,

Mike

francisco del cura ferreira · ‎12-15-2010

Unbelievable but right, the FTP session now works and nobody configured nothing new!, the config is the same than yesterday.

I think I'll change my proffesion

Thanks for your support