I`m running ASA 8.3(1)

sh run policy:
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect pptp
  inspect icmp error
  inspect dns
  inspect ftp
!

sh run service-policy
service-policy global_policy global

sh service-policy flow tcp host 172.16.9.10 host external ftp server eq 21

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Match: default-inspection-traffic
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:

Hello,

Sorry. I just saw the config that you sent over.

You are using global access-list as well as interface acl. Auto nat and manual nat. Object-groups in the global ACL.  It makes it very hard to read the config. Being on the box makes our life a lot easier.

Inside Host: 192.168.x.10 - outbound breaks - inbound works  - I don't see a translation for it. Not sure how inbound works.

Vlan 106  Host:172.16.6.10   - outbound breaks - inbound breaks (sub-interface)

Vlan 109  Host:172.16.9.10   - outbound breaks - inbound works (sub-interface)

You did all the above tests with filezilla?

The configuration looks correct. Like I mentioned previously this will be a very involved troubleshooting.

If you do not have smartnet, I suggest purchasing a single case. It is worth it.

This is a good reason why should purchase smartnet.

We would have to spend a few hours on the box. Gathering all what I had mentioned before.

-KS

Ok, What is best practice? Only acl configs on global or better on the interface? The same for NAT. I mean i test some things and some times it works with auto nat and sometimes with manual nat that why i use both.

Hi Sankar,

I dont know if you are able to assist as i am having a similar issue.

I had issues in the past  connecting to external ftp sites so i created an inspection rule on my wan interfaces and ask any staff trying to connect to any ftp site to send me the ip address so i can add under the inspection rule and this has always worked for me.

I had to do this because we also have ftp sites internally that people try to connect to from outside too.

But lately ,i have done this for an external ftp site and it connects but doesnt list directories.

The log message is

terminated by inspection engine,reason -inspector drop reset.

Below is the internal host trying to connect to the ftp server service policy command output :

External ftp server is 81.144.145.6.

# sh service-policy flow tcp host x.x.x.x host 81.144.145.6 eq ftp

Global policy:

  Service-policy: global_policy

    Class-map: cmap

      Match: access-list TCP

        Access rule: permit tcp any any

      Action:

        Input flow:  set connection advanced-options tmap

    Class-map: netflow-export-class

      Match: access-list netflow-export

        Access rule: permit ip any any

      Action:

        Output flow:  flow-export event-type all destination 10.120.3.226 10.120                                                                                        .16.220

    Class-map: class-default

      Match: any

      Action:

        Output flow:

Interface MAN_CORE_TO_WAN:

  Service-policy: STV_IPS_POLICY

    Class-map: STV_IPS_CLASS

      Match: access-list STV_IPS_ACL

        Access rule: permit ip any host 81.144.145.6

      Match: default-inspection-traffic

      Action:

        Input flow:  inspect ftp

    Class-map: class-default

      Match: any

      Action:

        Output flow:

Interface MAN_CORE_TO_WAN_ELXSI:

  Service-policy: STV_IPS_POLICY

    Class-map: STV_IPS_CLASS

      Match: access-list STV_IPS_ACL

        Access rule: permit ip any host 81.144.145.6

      Match: default-inspection-traffic

      Action:

        Input flow:  inspect ftp

    Class-map: class-default

      Match: any

      Action:

        Output flow:

Interface MAN_CORE-TO-WAN-THUS:

  Service-policy: STV_IPS_POLICY

    Class-map: STV_IPS_CLASS

      Match: access-list STV_IPS_ACL

        Access rule: permit ip any host 81.144.145.6

      Match: default-inspection-traffic

      Action:

        Input flow:  inspect ftp

    Class-map: class-default

      Match: any

      Action:

I just cant understand why it has worked for tens of external ftp sites and it doesnt work for this particular one.

Cheers

Hmm...the flow does go through the inspection and the inspection doesn't seem to like something in the packet. Without looking at captures ingress to egress it is hard to say why ftp inspection doesn't like something within the packets.

See if you can translate the source to look like some other IP address and see if can reach the ftp server on the outside and list directories.

Besides that, best option is to open a TAC case as this troubleshooting will be a very involved one.

-KS

Thanks KS,

Sorted it by just changing the Transfer mode on Filezilla ftp client to Active and i can now list directories.

Regards.