Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
0
Helpful
6
Replies

FTP Problem in ASA (Urgent)

wasiimcisco
Level 1
Level 1

‎10-12-2010 11:55 PM - edited ‎03-11-2019 11:53 AM

I have firewall ASA with 8.0(4) version. Everything is working fine but recently we started one proejct which involves upload the files on FTP server located on outside the network over the internet.

Other FTP services are working fine but this FTP server is require port 6521 which i have opeend but still not able to connect. Only if i will open full IP address for a user he can connect and see the file listing on the serers but by opening TCP and UDP port 6521 is not working. I have attached the packet capture which shows the connection is establish on port 6521 but then dynamic port assignment is showing. I have also check with inspect FTP and by disabling it but no luck.

access-list acl-in extended permit tcp 192.168.51.0 255.255.255.0 host 111.121.249.247 eq 6521
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 30100
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 30000
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq ftp
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq ftp-data
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 6521
access-list acl-in extended permit tcp 192.168.88.0 255.255.255.0 host 111.121.249.247 eq 6521 

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect pptp
  inspect ftp

Please let me know how to solve the problem. YOur prompt helpe will be highly appreciated.

Labels:
73404-ftp capture.txt.zip
0 Helpful
6 Replies 6

praprama
Cisco Employee
Cisco Employee

‎10-13-2010 12:07 AM

Hi,

The reason for that is because with "class-map inspection_default". inspection for FTP is done on TCP/21 only. To enable it on a different port like in our case TCP/6521, you will need to create another class-map matching that traffic and then perform inspection.

For example,

access-list FTP permit tcp any host 111.121..249.247 eq 6521

access-list FTP permit tcp host 111.121..249.247 eq 6521 any


class-map FTP

match access-list FTP


policy-map global_policy

class FTP

inspect ftp

To confirm if packets are being redirected and inspected, you can run a "show service-policy" and see counters incrementing. Let me know if this helps!!

Thanks and Regards,

Prapanch

0 Helpful

wasiimcisco
Level 1
Level 1
In response to praprama

‎10-13-2010 01:36 AM

I configure the class-map but still not luck.

show access-list ftp-list
access-list ftp-list; 2 elements
access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=2) 0x4f2ddd4a
access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4

show access-list ftp-list
access-list ftp-list; 2 elements
access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=4) 0x4f2ddd4a
access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4

show service-policy    

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 74601620, drop 327772, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 44466, drop 0, reset-drop 0
      Inspect: h323 ras _default_h323_map, packet 44643, drop 44643, reset-drop 0
      Inspect: netbios, packet 375597, drop 0, reset-drop 0
      Inspect: rsh, packet 44463, drop 0, reset-drop 0
      Inspect: rtsp, packet 44486, drop 0, reset-drop 0
      Inspect: skinny , packet 44466, drop 0, reset-drop 0
      Inspect: esmtp _default_esmtp_map, packet 446745675, drop 13344, reset-drop 0
      Inspect: sunrpc, packet 68074, drop 0, reset-drop 0
      Inspect: tftp, packet 22322, drop 22322, reset-drop 0
      Inspect: sip , packet 66788, drop 0, reset-drop 0
      Inspect: xdmcp, packet 22323, drop 22323, reset-drop 0
      Inspect: pptp, packet 67131, drop 0, reset-drop 0
      Inspect: ftp, packet 169532, drop 0, reset-drop 0

    Class-map: ftp-class
      Inspect: ftp, packet 33, drop 0, reset-drop 2

    Class-map: class-default

      Default Queueing
      Set connection policy:         drop 0
      Set connection decrement-ttl

Please let me know how to solve it.

0 Helpful

Rudresh Veerappaji
Cisco Employee
Cisco Employee
In response to wasiimcisco

‎10-13-2010 08:06 AM

Hi Wasim,

Please run the following command to check how the ASA is inspecting the ftp requests from outside, with the configuration suggested for non-standard ftp inspection suggested by Prapanch:

show service-policy flow tcp host 192.168.51.10 host 111.121.249.247 eq 6521 

Cheers,
Rudresh V

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to wasiimcisco

‎10-13-2010 08:19 AM

Hi,

That's interesting. I can see packets being inspected as below:

  Class-map: ftp-class
      Inspect: ftp, packet 33, drop 0,  reset-drop 2

Please post the output of "shojw service-policy inspect ftp". Also, if possible, please get the bidirectional captures.

Thanks and Regards,

Prapanch

0 Helpful

wasiimcisco
Level 1
Level 1
In response to praprama

‎10-14-2010 01:42 AM

Please see the below mention output.

show service-policy flow tcp host 192.168.80.89 host 111.121.249.247

Global policy:
  Service-policy: global_policy
    Class-map: ftp-class
      Match: access-list ftp-list
        Access rule: permit tcp any any eq 6521
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:
        Output flow:        Input flow:  set connection decrement-ttl
ENOCDC-FW01/Rack1# show service-policy flow tcp host 192.168.80.89 host 111.121.249.247

Global policy:
  Service-policy: global_policy
    Class-map: ftp-class
      Match: access-list ftp-list
        Access rule: permit tcp any any eq 6521
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:
        Output flow:        Input flow:  set connection decrement-ttl
ENOCDC-FW01/Rack1# show service-policy inspect ftp                 

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 0, drop 0, reset-drop 0
    Class-map: ftp-class
      Inspect: ftp, packet 36, drop 0, reset-drop 2
ENOCDC-FW01/Rack1# show service-policy flow tcp host 192.168.80.89 host 111.121.249.247

Global policy:
  Service-policy: global_policy
    Class-map: ftp-class
      Match: access-list ftp-list
        Access rule: permit tcp any any eq 6521
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:
        Output flow:        Input flow:  set connection decrement-ttl

Please help me out how to fix this issue.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to wasiimcisco

‎10-14-2010 06:45 AM

Hi,

As i had mentioned before, please get the bidirectional captures in .pcap format on the "inside" interface, that is, traffic from and to the server. To apply and gather captures in a .pcap format, please refer the below document:

https://supportforums.cisco.com/docs/DOC-1222

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card