cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

399
Views
0
Helpful
2
Replies
muhammadusman77
Beginner

FTP problem through ASA 8.6

Dear Experts,

i am trying to connect to an FTP server which is placed at outside (internet) with a public IP. firewall is able to ping FTP public IP, but my system placed at inside interface of my firewall with gateway of inside ip of firewall  unable to communicate with FTP server.The moment i try to connect with FTP it just establish connection logged in and disconnect when retrieving directory. At the same time my PC without passing through firewall with another gateway is successfully logged upload and downloading file.

ASA setting is

ftp mode passive

inspect ftp

#:sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default

.

.

.


Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: ftp, packet 186, lock fail 0, drop 0, reset-drop 8

reset-drop start increasing when i try to reconnect with FTP.

Here is output of my FTP client:

Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Error: Disconnected from server: ECONNABORTED - Connection aborted
Error: Failed to retrieve directory listin

ASA syslog messages here:

6|May 31 2017 22:41:19|302013: Built outbound TCP connection 1734841 for outside:x.x.x.x/21 (x.x.x.x/21) to inside:172.20.1.127/63626 (210.56.16.106/63626)
6|May 31 2017 22:41:19|302014: Teardown TCP connection 1734817 for outside:x.x.x.x/21 to inside:172.20.1.127/63623 duration 0:00:17 bytes 429 TCP FINs
6|May 31 2017 22:41:24|302013: Built outbound TCP connection 1734848 for outside:x.x.x.x/21 (x.x.x.x/21) to inside:172.20.1.127/63627 (210.56.16.106/63627)
6|May 31 2017 22:41:24|302014: Teardown TCP connection 1734841 for outside:x.x.x.x/21 to inside:172.20.1.127/63626 duration 0:00:

 

2 REPLIES 2
Aditya Ganjoo
Cisco Employee

Hi,

Did you check by disabling ftp inspection and then test?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

aditya,

yes i already checked but same problem.