10-12-2010 11:55 PM - edited 03-11-2019 11:53 AM
I have firewall ASA with 8.0(4) version. Everything is working fine but recently we started one proejct which involves upload the files on FTP server located on outside the network over the internet.
Other FTP services are working fine but this FTP server is require port 6521 which i have opeend but still not able to connect. Only if i will open full IP address for a user he can connect and see the file listing on the serers but by opening TCP and UDP port 6521 is not working. I have attached the packet capture which shows the connection is establish on port 6521 but then dynamic port assignment is showing. I have also check with inspect FTP and by disabling it but no luck.
access-list acl-in extended permit tcp 192.168.51.0 255.255.255.0 host 111.121.249.247 eq 6521
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 30100
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 30000
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq ftp
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq ftp-data
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 6521
access-list acl-in extended permit tcp 192.168.88.0 255.255.255.0 host 111.121.249.247 eq 6521
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect ftp
Please let me know how to solve the problem. YOur prompt helpe will be highly appreciated.
10-13-2010 12:07 AM
Hi,
The reason for that is because with "class-map inspection_default". inspection for FTP is done on TCP/21 only. To enable it on a different port like in our case TCP/6521, you will need to create another class-map matching that traffic and then perform inspection.
For example,
access-list FTP permit tcp any host 111.121..249.247 eq 6521
access-list FTP permit tcp host 111.121..249.247 eq 6521 any
class-map FTP
match access-list FTP
policy-map global_policy
class FTP
inspect ftp
To confirm if packets are being redirected and inspected, you can run a "show service-policy" and see counters incrementing. Let me know if this helps!!
Thanks and Regards,
Prapanch
10-13-2010 01:36 AM
I configure the class-map but still not luck.
show access-list ftp-list
access-list ftp-list; 2 elements
access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=2) 0x4f2ddd4a
access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4
show access-list ftp-list
access-list ftp-list; 2 elements
access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=4) 0x4f2ddd4a
access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4
show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 74601620, drop 327772, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 44466, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 44643, drop 44643, reset-drop 0
Inspect: netbios, packet 375597, drop 0, reset-drop 0
Inspect: rsh, packet 44463, drop 0, reset-drop 0
Inspect: rtsp, packet 44486, drop 0, reset-drop 0
Inspect: skinny , packet 44466, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 446745675, drop 13344, reset-drop 0
Inspect: sunrpc, packet 68074, drop 0, reset-drop 0
Inspect: tftp, packet 22322, drop 22322, reset-drop 0
Inspect: sip , packet 66788, drop 0, reset-drop 0
Inspect: xdmcp, packet 22323, drop 22323, reset-drop 0
Inspect: pptp, packet 67131, drop 0, reset-drop 0
Inspect: ftp, packet 169532, drop 0, reset-drop 0
Class-map: ftp-class
Inspect: ftp, packet 33, drop 0, reset-drop 2
Class-map: class-default
Default Queueing
Set connection policy: drop 0
Set connection decrement-ttl
Please let me know how to solve it.
10-13-2010 08:06 AM
Hi Wasim,
Please run the following command to check how the ASA is inspecting the ftp requests from outside, with the configuration suggested for non-standard ftp inspection suggested by Prapanch:
show service-policy flow tcp host 192.168.51.10 host 111.121.249.247 eq 6521
Cheers,
Rudresh V
10-13-2010 08:19 AM
Hi,
That's interesting. I can see packets being inspected as below:
Class-map: ftp-class
Inspect: ftp, packet 33, drop 0, reset-drop 2
Please post the output of "shojw service-policy inspect ftp". Also, if possible, please get the bidirectional captures.
Thanks and Regards,
Prapanch
10-14-2010 01:42 AM
Please see the below mention output.
show service-policy flow tcp host 192.168.80.89 host 111.121.249.247
Global policy:
Service-policy: global_policy
Class-map: ftp-class
Match: access-list ftp-list
Access rule: permit tcp any any eq 6521
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Input flow: set connection decrement-ttl
ENOCDC-FW01/Rack1# show service-policy flow tcp host 192.168.80.89 host 111.121.249.247
Global policy:
Service-policy: global_policy
Class-map: ftp-class
Match: access-list ftp-list
Access rule: permit tcp any any eq 6521
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Input flow: set connection decrement-ttl
ENOCDC-FW01/Rack1# show service-policy inspect ftp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
Class-map: ftp-class
Inspect: ftp, packet 36, drop 0, reset-drop 2
ENOCDC-FW01/Rack1# show service-policy flow tcp host 192.168.80.89 host 111.121.249.247
Global policy:
Service-policy: global_policy
Class-map: ftp-class
Match: access-list ftp-list
Access rule: permit tcp any any eq 6521
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Input flow: set connection decrement-ttl
Please help me out how to fix this issue.
10-14-2010 06:45 AM
Hi,
As i had mentioned before, please get the bidirectional captures in .pcap format on the "inside" interface, that is, traffic from and to the server. To apply and gather captures in a .pcap format, please refer the below document:
https://supportforums.cisco.com/docs/DOC-1222
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide