02-11-2011 07:26 AM - edited 03-11-2019 12:49 PM
I am trying to NAT my FTP to the outside. I can't get to that IP. Am I missing something? I have FTP allowed in access rules.
For NAT
static NAT
inside - to the internal IP
Outside - external IP
I can ping the server from firewall internally. What else can I do to test?
Solved! Go to Solution.
02-15-2011 07:25 AM
yes, for example:
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
02-16-2011 06:59 AM
The inspect ftp command is not working, can i just add it through the GUI interface?
02-16-2011 07:04 AM
what do you mean is not working? Is not configured?
If it is not configured then you can add it by CLI or GUI under the global policy.
02-16-2011 09:39 AM
Reply: 220 Microsoft FTP Service
Command: CLNT http://ftptest.net on behalf of 63.61..x.x
Reply: 500 'CLNT http://ftptest.net on behalf of 63.61.x.x: command not understood
Command: USER anonymous
Reply: 331 access allowed, send identity (e-mail name) as password.
Command: PASS **********************
Reply: 230 user logged in.
Command: SYST
Reply: 215 Windows_NT
Command: FEAT
Reply: 211-FEAT
Reply: SIZE
Error: FEAT response lines must begin with a single space character
Error when typing in command for FTP....
the first two lines work but the last one, "inspect FTP" does not work...
02-16-2011 07:34 PM
I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a
re not. You can check the show service-policy and check if the inspect ftp has drops:
ASA-1# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 672, drop 0, reset-drop 0
02-18-2011 05:51 AM
I can get to where I go to the external address and I get a login box. However, when I type in the password it times out now. Looking at the log on the FTP server, the account is logging in.
02-14-2011 09:09 AM
No IPS
02-14-2011 12:54 PM
I am checking to see if the Router is open to FTP... I will post back back in a few.
02-15-2011 08:57 AM
Lewis,
Are you using ports 20 and 21 for FTP?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
02-16-2011 06:40 AM
FTP test I get this error????
Error: FEAT response lines must begin with a single space character
02-16-2011 06:43 AM
Can you try using Windows Explorer instead of Filezilla? ex. ftp://{IP Address of outside interface}
Also check out the following
http://forum.filezilla-project.org/viewtopic.php?f=1&t=16565
02-17-2011 11:30 AM
I can get HTTP to work from same server. There must be something blocking the FTP. Do I need to open more ports for the FTP? The packet trace is not helping. I am going to try and use the packet capture to see if that helps.
02-18-2011 09:13 PM
Excellent Idea,
How far do you get when you try to FTP to your server? If you get the login prompt and the password just timeouts, we may need 2 things in order to sort this out....
Logs from the connection
Packet capture
Show service policy
If you can get the login prompt but the password timeouts, I dont think it is a problem with the inspection, since the inspection takes place only when there is a file transfer about to begin.
Please feel free to gather that information, if you like you can send it as a Private message to Paul and Me, I think he would like to check those packet captures too as much as I do.
Cheers.....
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide