cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14708
Views
0
Helpful
22
Replies

ftp through ASA stuck @ Opening data connection

born.jason
Level 1
Level 1

hi,

i have a problem with an ASA and connect from outside to an inside ftp server. The connection stuck at Opening data connection....

[R] 227 Entering Passive Mode (<external ip>,198,49).
[R] Opening data connection IP: <external ip> PORT: 50737
[R] QUIT
[R] 221  Have a nice day.
[R] Logged off: <external ip>

I have configured an ACL for FTP and FTP-DATA and activate inspect rule.

Any suggestions?

Thanks and regards

Jason

22 Replies 22

manish arora
Level 6
Level 6

Can you please post sh service policy inspect ftp ?

Also, are you using Port Forwarding NAT for your ftp server ?

Manish

Make sure to have "inspect ftp" under the "sh run policy-map" output. If not pls. add it and try again.

conf t

policy-map global_policy

class inspection_default

  inspect ftp

-KS

Hi,

i`m not using port forwarding nat for this server. Here are the config for this:

ciscoasa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect pptp
  inspect icmp error
  inspect ftp
class decrement-ttl-class
  set connection decrement-ttl
!

and here the NAT Rule and ACL:

nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns description ftp1

access-list global_access extended permit tcp any object obj-172.16.6.10 object-group vlan106-Services-ftp1

and in the service group vlan106-Services-ftp1 is the following:

object-group service vlan106-Services-ftp1 tcp
port-object eq ftp
port-object eq ftp-data

Is there a misconfig?

nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns

The above line is all you need.

Now can you try to remove it as add it like this?

conf t

no nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns

nat (vlan106,outside) 1 source static obj-172.16.6.10 obj-external_ip dns

Everything else looks good. Pls. check the logs and see what that says during the problem.

conf t

logging on

logging buffered 7

exit

sh logg | i 172.16.6.10

-KS

hmmm same situation.

It stops at opening data connection and after 1-2 minutes the connection is established but with no folder content. And if i try to connect from the ftp server to another ftp server (it doesn`t matter what ftp, the same with any ftp server) i have the same situation and cannot established a connection... password und user ok bt no folder content...

any suggestion or do you need more information?

need to see the logs per my previous posting.

-KS

here is the asdm log, look at the bold....

6|Jan 11 2011|16:28:16|302013||60516|172.16.6.10|21|Built inbound TCP connection 28718781 for outside:/60516 (/60516) to Vlan106:172.16.6.10/21 (/21)


6|Jan 11 2011|16:27:57|302014||35091|172.16.6.10|56532|Teardown TCP connection 28718723 for outside:/35091 to Vlan106:172.16.6.10/56532 duration 0:00:21 bytes 0 Parent flow is closed


6|Jan 11 2011|16:27:57|302014||44914|172.16.6.10|21|Teardown TCP connection 28718703 for outside:/44914 to Vlan106:172.16.6.10/21 duration 0:00:43 bytes 507 Flow closed by inspection


4|Jan 11 2011|16:27:57|507003||44914|172.16.6.10|21|tcp flow from outside:/44914 to Vlan106:172.16.6.10/21 terminated by inspection engine, reason - inspector drop reset.


4|Jan 11 2011|16:27:57|406002|||||FTP port command different address: (192.168.5.10) to 172.16.6.10 on interface outside


6|Jan 11 2011|16:27:53|106015|172.16.6.10|21||28746|Deny TCP (no connection) from 172.16.6.10/21 to /28746 flags FIN PSH ACK  on interface Vlan106


6|Jan 11 2011|16:27:53|106015|172.16.6.10|21||28746|Deny TCP (no connection) from 172.16.6.10/21 to /28746 flags PSH ACK  on interface Vlan106


6|Jan 11 2011|16:27:45|302014||23620|172.16.6.10|56530|Teardown TCP connection 28718706 for outside:/23620 to Vlan106:172.16.6.10/56530 duration 0:00:30 bytes 0 SYN Timeout


6|Jan 11 2011|16:27:36|302013||35091|172.16.6.10|56532|Built inbound TCP connection 28718723 for outside:/35091 (/35091) to Vlan106:172.16.6.10/56532 (/56532)


6|Jan 11 2011|16:27:15|302013||23620|172.16.6.10|56530|Built inbound TCP connection 28718706 for outside:/23620 (/23620) to Vlan106:172.16.6.10/56530 (/56530)


6|Jan 11 2011|16:27:13|302013||44914|172.16.6.10|21|Built inbound TCP connection 28718703 for outside:/44914 (/44914) to Vlan106:172.16.6.10/21 (/21)

This is what i see in the ftp client. I t trys 2 times with passive mode and changed then to port mode (active mode?):

[R] 227 Entering Passive Mode (,220,210).
[R] Opening data connection IP: PORT: 56530
[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV
[R] 227 Entering Passive Mode (,220,212).
[R] Opening data connection IP: PORT: 56532
[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV mode failed, trying PORT  mode.
[R] Listening on PORT: 49734, Waiting for connection.
[R] PORT 192,168,5,10,194,70
[R] Connection lost:
[R] List Error

302014||44914|172.16.6.10|21|Teardown TCP connection 28718703 for outside:
ip>/44914 to Vlan106:172.16.6.10/21 duration 0:00:43 bytes 507 Flow closed by inspection*

507003||44914|172.16.6.10|21|tcp flow from outside:/44914 to
Vlan106:172.16.6.10/21 terminated by inspection engine, reason - inspector drop reset.*

406002|||||FTP port command different address: (192.168.5.10) to 172.16.6.10 on interface
outside*

Well it clearly says that inspection closed this flow.

I would download filezila client and server and test with that. http://filezilla-project.org/
active ftp - client sends the port command and sever sources from port 20 to this port.
passive ftp - server sends the port command the the client opens a new connection to it.

-KS

hmmm but i`ve tested different ftp servers from the inside all the same..... hmmm hmmm

do you mean i should setup a new ftp server inside, nat to outside and test with filezilla client from outside?

It doesn't matter. client on the inside or outside.

client on the inside makes more sense, because you don't have to configure static translation.

Use two laptops and install filezilla server on one and client on the other.

Let me know.

-KS

if i try to connect from a inside host to the ftp server it works.

if i try for example give my laptop a external ip start a ftp server on the laptop and connect from outside to THIS ftp server it works fine, without problems.

The only differents between the inside ftp server is the ip range and vlan and the type of ftp server, one 2008 IIS FTP and one Win7 Filezilla Server.

Any suggestions?

So filezila works fine as an ftp server on the inside.

When you use Microsoft 2008 IIS ftp server on the inside it fails.

Can you ftp to this same IIS ftp server from another inside host? Does this work? If not I'd reach out to Microsoft.

This has nothing to do with the IP range according to what the logs show.  FTP inspection did not like something in the packet that it saw.

To troubleshoot this further I'd suggest opening a TAC case with us. We would need the following:

1. captures taken on the inside and outside of the firewall while accessing this IIS FTP server.

2. syslogs (debug level from the time of testing)

3. wiresharp captures taken on the IIS server itself

All of the above have to be taken simulataneously.

-KS

i have no service contract to open a TAC case.

I will explain the network:

ASA Inside Host:

192.168.100.10 (Filezilla FTP Server with NATTET external IP) -> if i connect from outside to this FTP server everything working fine. If i connect from inside the host to outside ftp, the connection stuck. (data connection could not be opened, folder content)

ASA Subinterface (Vlan 106 172.16.6.0/24) Host:

172.16.6.10 ( IIS FTP Server with NATTET external IP) - if i connect from outside to this server the connection stuck. If i connect from inside the host to outside ftp, the connection stuck. (data connection could not be opened, folder content)

ASA Subinterface (Vab 109 172.16.9.0/24) Host:

172.16.9.10 ( Filezilla FTP Server with NATTET external IP) - if i connect from outside to this FTP server everything working fine. If iconnect from inside the host to outside ftp, connection stuck. (data connection could not be opened, folder content)

make this sense?

Could i send the running config as pm? I don`t want to publish the config because of privacy....

If i connect from inside (vlan 109) to outside FTP Server the asa log says:

tcp flow from Vlan109:172.16.9.10/1218 to outside:/21 terminated by inspection engine, reason - inspector drop reset.

FTP port command different address: (192.168.5.10 <- this is the IP from my external home client where the ftp server is running) to 172.16.9.10 on interface outside

what does that mean and how can i solve this ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: