Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6218
Views
0
Helpful
2
Replies

FTP works fine with internal address not an external address

pmattson00
Level 1
Level 1

‎09-28-2011 06:04 AM - edited ‎03-11-2019 02:31 PM

I am hoping this is a simple thing I am missing.  Here is my scenario: We want to allow customers to send and receive FTP files to us.

For my testing I am accessing the FTP server from my house:

With the configuration below I am able to use WinSCP to connect to the FTP server using the external IP.

If I use Internet Explorer with the URL: ftp://public IP it does not work.

While on the server at the office:

I can only access the FTP server using Internet Explorer using the Internal (private) IP address.  I get the same error as I do at home when trying to use the public IP.

WinSCP works fine using either IP public or private.

Reason we want to be able to access files through Internet Explorer is if the customer only needs to download the file.  They will have to find another option to upload.

Regards,

Patrick

Current configuration:


ASA Version 8.2(1)
!
hostname yyz2201
domain-name yahoo.local
names
name 10.0.0.2 Server description Server 1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.237 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1

ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Server
domain-name yahoo.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWPING
icmp-object echo
icmp-object time-exceeded
icmp-object echo-reply
icmp-object traceroute
icmp-object source-quench
icmp-object unreachable
object-group network server1
access-list 10 extended permit ip any any
access-list 10 extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in extended permit tcp any interface outside eq 978
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPoolNew 192.168.30.10-192.168.30.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (outside) 1 192.168.30.0 255.255.255.0
static (inside,outside) tcp interface 978 Server 978 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
static (inside,outside) tcp interface ssh Server ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data Server ftp-data netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl 10
webvpn
  svc ask none default svc
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns Server 8.8.8.8
!
dhcpd address 10.0.0.30-10.0.0.60 inside
dhcpd dns Server 8.8.8.8 interface inside
dhcpd domain yahoo.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 8008
enable inside
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server value 10.0.0.2
dns-server value 10.0.0.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value yahoo.local
address-pools value SSLClientPoolNew
webvpn
  svc keep-installer installed
  svc rekey time 180
  svc rekey method ssl
  svc modules value vpngina
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47c3e51cda4a5b34f3d378dc81007b7e
: end

Labels:
0 Helpful
2 Replies 2

jaysoo
Level 1
Level 1

‎09-28-2011 02:34 PM

You can try this, see if it helps:

How to change the Internet Explorer FTP Client mode

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Advanced tab.
  4. Under Browsing, click to clear the Enable folder view for FTP sites check box.
  5. Click to select the Use Passive FTP (for firewall and DSL modem compatibility) check box.
  6. Click OK.

Internet Explorer behaves as a Standard mode FTP client if you select the Enable folder view for FTP sites check box, even if you also select the Use Passive FTP check box. If you clear the Enable folder view for FTP sites

check box and then select the Use Passive FTP check box, Internet Explorer behaves as a Passive mode FTP client.


You can read the whole thing here: http://support.microsoft.com/kb/323446

It explains potential issues with using IE as an FTP client.

0 Helpful

pmattson00
Level 1
Level 1
In response to jaysoo

‎09-28-2011 05:28 PM

Not sure if your solution fixed 100%, but it got me thinking a little more and I now have it working.  If someone else comes across this issue I hope this helps.

This is what I thought was going to be solution, but I already had a service-policy so I had to add to my policy-map

Here is the code I found:


class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
service-policy asa_global_fw_policy global

Code I had to modify:

policy-map global_policy
class inspection_default
  inspect ftp

My service-policy was already in place.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card