01-10-2011 01:34 PM - edited 03-11-2019 12:33 PM
hi,
i have a problem with an ASA and connect from outside to an inside ftp server. The connection stuck at Opening data connection....
[R] 227 Entering Passive Mode (<external ip>,198,49).
[R] Opening data connection IP: <external ip> PORT: 50737
[R] QUIT
[R] 221 Have a nice day.
[R] Logged off: <external ip>
I have configured an ACL for FTP and FTP-DATA and activate inspect rule.
Any suggestions?
Thanks and regards
Jason
01-10-2011 02:30 PM
Can you please post sh service policy inspect ftp ?
Also, are you using Port Forwarding NAT for your ftp server ?
Manish
01-10-2011 04:40 PM
Make sure to have "inspect ftp" under the "sh run policy-map" output. If not pls. add it and try again.
conf t
policy-map global_policy
class inspection_default
inspect ftp
-KS
01-11-2011 04:47 AM
Hi,
i`m not using port forwarding nat for this server. Here are the config for this:
ciscoasa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect icmp error
inspect ftp
class decrement-ttl-class
set connection decrement-ttl
!
and here the NAT Rule and ACL:
nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns description ftp1
access-list global_access extended permit tcp any object obj-172.16.6.10 object-group vlan106-Services-ftp1
and in the service group vlan106-Services-ftp1 is the following:
object-group service vlan106-Services-ftp1 tcp
port-object eq ftp
port-object eq ftp-data
Is there a misconfig?
01-11-2011 05:07 AM
nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns
The above line is all you need.
Now can you try to remove it as add it like this?
conf t
no nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns
nat (vlan106,outside) 1 source static obj-172.16.6.10 obj-external_ip dns
Everything else looks good. Pls. check the logs and see what that says during the problem.
conf t
logging on
logging buffered 7
exit
sh logg | i 172.16.6.10
-KS
01-11-2011 07:09 AM
hmmm same situation.
It stops at opening data connection and after 1-2 minutes the connection is established but with no folder content. And if i try to connect from the ftp server to another ftp server (it doesn`t matter what ftp, the same with any ftp server) i have the same situation and cannot established a connection... password und user ok bt no folder content...
any suggestion or do you need more information?
01-11-2011 07:12 AM
need to see the logs per my previous posting.
-KS
01-11-2011 07:34 AM
here is the asdm log, look at the bold....
6|Jan 11 2011|16:28:16|302013|
6|Jan 11 2011|16:27:57|302014|
6|Jan 11 2011|16:27:57|302014|
4|Jan 11 2011|16:27:57|507003|
4|Jan 11 2011|16:27:57|406002|||||FTP port command different address:
6|Jan 11 2011|16:27:53|106015|172.16.6.10|21|
6|Jan 11 2011|16:27:53|106015|172.16.6.10|21|
6|Jan 11 2011|16:27:45|302014|
6|Jan 11 2011|16:27:36|302013|
6|Jan 11 2011|16:27:15|302013|
6|Jan 11 2011|16:27:13|302013|
This is what i see in the ftp client. I t trys 2 times with passive mode and changed then to port mode (active mode?):
[R] 227 Entering Passive Mode (
[R] Opening data connection IP:
[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV
[R] 227 Entering Passive Mode (
[R] Opening data connection IP:
[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV mode failed, trying PORT mode.
[R] Listening on PORT: 49734, Waiting for connection.
[R] PORT 192,168,5,10,194,70
[R] Connection lost:
[R] List Error
01-11-2011 07:54 AM
302014||44914|172.16.6.10|21|Teardown TCP connection 28718703 for outside:
ip>/44914 to Vlan106:172.16.6.10/21 duration 0:00:43 bytes 507 Flow closed by inspection*
507003||44914|172.16.6.10|21|tcp flow from outside: /44914 to
Vlan106:172.16.6.10/21 terminated by inspection engine, reason - inspector drop reset.*
406002|||||FTP port command different address:(192.168.5.10) to 172.16.6.10 on interface
outside*
Well it clearly says that inspection closed this flow.
I would download filezila client and server and test with that. http://filezilla-project.org/
active ftp - client sends the port command and sever sources from port 20 to this port.
passive ftp - server sends the port command the the client opens a new connection to it.
-KS
01-11-2011 08:06 AM
hmmm but i`ve tested different ftp servers from the inside all the same..... hmmm hmmm
do you mean i should setup a new ftp server inside, nat to outside and test with filezilla client from outside?
01-11-2011 08:56 AM
It doesn't matter. client on the inside or outside.
client on the inside makes more sense, because you don't have to configure static translation.
Use two laptops and install filezilla server on one and client on the other.
Let me know.
-KS
01-12-2011 02:19 AM
if i try to connect from a inside host to the ftp server it works.
if i try for example give my laptop a external ip start a ftp server on the laptop and connect from outside to THIS ftp server it works fine, without problems.
The only differents between the inside ftp server is the ip range and vlan and the type of ftp server, one 2008 IIS FTP and one Win7 Filezilla Server.
Any suggestions?
01-12-2011 05:21 AM
So filezila works fine as an ftp server on the inside.
When you use Microsoft 2008 IIS ftp server on the inside it fails.
Can you ftp to this same IIS ftp server from another inside host? Does this work? If not I'd reach out to Microsoft.
This has nothing to do with the IP range according to what the logs show. FTP inspection did not like something in the packet that it saw.
To troubleshoot this further I'd suggest opening a TAC case with us. We would need the following:
1. captures taken on the inside and outside of the firewall while accessing this IIS FTP server.
2. syslogs (debug level from the time of testing)
3. wiresharp captures taken on the IIS server itself
All of the above have to be taken simulataneously.
-KS
01-12-2011 06:09 AM
i have no service contract to open a TAC case.
I will explain the network:
ASA Inside Host:
192.168.100.10 (Filezilla FTP Server with NATTET external IP) -> if i connect from outside to this FTP server everything working fine. If i connect from inside the host to outside ftp, the connection stuck. (data connection could not be opened, folder content)
ASA Subinterface (Vlan 106 172.16.6.0/24) Host:
172.16.6.10 ( IIS FTP Server with NATTET external IP) - if i connect from outside to this server the connection stuck. If i connect from inside the host to outside ftp, the connection stuck. (data connection could not be opened, folder content)
ASA Subinterface (Vab 109 172.16.9.0/24) Host:
172.16.9.10 ( Filezilla FTP Server with NATTET external IP) - if i connect from outside to this FTP server everything working fine. If iconnect from inside the host to outside ftp, connection stuck. (data connection could not be opened, folder content)
make this sense?
Could i send the running config as pm? I don`t want to publish the config because of privacy....
01-12-2011 06:26 AM
If i connect from inside (vlan 109) to outside FTP Server the asa log says:
tcp flow from Vlan109:172.16.9.10/1218 to outside:
FTP port command different address:
what does that mean and how can i solve this ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide