Solved: Re: FTP - Page 2

Lewis_Cipher · ‎02-11-2011

I am trying to NAT my FTP to the outside. I can't get to that IP. Am I missing something? I have FTP allowed in access rules.

For NAT

static NAT

inside - to the internal IP

Outside - external IP

I can ping the server from firewall internally. What else can I do to test?

PAUL GILBERT ARIAS · ‎02-15-2011

yes, for example:

policy-map global_policy

class inspection_default

inspect ftp

!

service-policy global_policy global

Lewis_Cipher · ‎02-16-2011

The inspect ftp command is not working, can i just add it through the GUI interface?

PAUL GILBERT ARIAS · ‎02-16-2011

what do you mean is not working? Is not configured?

If it is not configured then you can add it by CLI or GUI under the global policy.

Lewis_Cipher · ‎02-16-2011

Reply: 220 Microsoft FTP Service

Command: CLNT http://ftptest.net on behalf of 63.61..x.x

Reply: 500 'CLNT http://ftptest.net on behalf of 63.61.x.x: command not understood

Command: USER anonymous

Reply: 331 access allowed, send identity (e-mail name) as password.

Command: PASS **********************

Reply: 230 user logged in.

Command: SYST

Reply: 215 Windows_NT

Command: FEAT

Reply: 211-FEAT

Reply: SIZE

Error: FEAT response lines must begin with a single space character

Error when typing in command for FTP....

the first two lines work but the last one, "inspect FTP" does not work...

PAUL GILBERT ARIAS · ‎02-16-2011

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 672, drop 0, reset-drop 0

Lewis_Cipher · ‎02-18-2011

I can get to where I go to the external address and I get a login box. However, when I type in the password it times out now. Looking at the log on the FTP server, the account is logging in.

Lewis_Cipher · ‎02-14-2011

No IPS

Lewis_Cipher · ‎02-14-2011

I am checking to see if the Router is open to FTP... I will post back back in a few.

ciscona728 · ‎02-15-2011

Lewis,

Are you using ports 20 and 21 for FTP?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

Lewis_Cipher · ‎02-16-2011

FTP test I get this error????

Error: FEAT response lines must begin with a single space character

ciscona728 · ‎02-16-2011

Can you try using Windows Explorer instead of Filezilla? ex. ftp://{IP Address of outside interface}

Also check out the following

http://forum.filezilla-project.org/viewtopic.php?f=1&t=16565

Lewis_Cipher · ‎02-17-2011

I can get HTTP to work from same server. There must be something blocking the FTP. Do I need to open more ports for the FTP? The packet trace is not helping. I am going to try and use the packet capture to see if that helps.

Maykol Rojas · ‎02-18-2011

Excellent Idea,

How far do you get when you try to FTP to your server? If you get the login prompt and the password just timeouts, we may need 2 things in order to sort this out....

Logs from the connection

Packet capture

Show service policy

If you can get the login prompt but the password timeouts, I dont think it is a problem with the inspection, since the inspection takes place only when there is a file transfer about to begin.

Please feel free to gather that information, if you like you can send it as a Private message to Paul and Me, I think he would like to check those packet captures too as much as I do.

Cheers.....

Mike