Solved: Having issues with Simple FTP configuration

shostackr · ‎01-25-2013

I am attempting to set up FTP behind this new CISCO ASA 5510 we just bought. I haven't configured a cisco device in 5 years, so I am having issues., i think i am close, but need a little help to get me over the hump. If I FTP from outside (fixed) IP it connects and takes the password but hangs on PASV and gives no data connection below is my configuration. Can anyone help? I am hoping it is simple since I seem to have the connection inside correct. and yes you can connect to the FTP server from inside without issue.

ASA Version 8.2(5)

!

hostnameASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif External

security-level 0

ip address y.y.y.y 255.255.255.0

!

interface Ethernet0/1

nameif Internal

security-level 100

ip address x.x.x.x. 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup External

dns server-group DefaultDNS

name-serverg.g.g.g.g.

name-server h.h.h.h.

access-list 100 extended permit tcp any host y.y.y.y eq ftp

access-list 100 extended permit tcp any host y.y.y.y eq ftp-data

pager lines 24

logging enable

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (External) 101 interface

nat (Internal) 101 0.0.0.0 0.0.0.0

static (Internal,External) tcp interface ftp-data 192.168.0.69 ftp-data netmask 255.255.255.255

static (Internal,External) tcp interface ftp 192.168.0.69 ftp netmask 255.255.255.255

access-group 100 in interface External

route External 0.0.0.0 0.0.0.0 L.L.L.L 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca

quit

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map INSPECTION_DEFAULT

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:9c15122a54bf6b87ce5ab8be0f23e9d5

: end

Karsten Iwen · ‎01-25-2013

I am hitting the FTP server behind the firewall as you can see from my first log... It dies on PASV which is why I thought I needed that FTP-Data.

ftp-data (tcp/20) is only used with active-mode ...

Do you have any log on the FTP-server?

Cyclist eh?

yes, now waiting for the spring to start cycling this year. Hopefully in March ...

Nice, that's my latest passion and it will probably send me to the poor house with the amount of times I crash

just ride a little bit slower .. ;-)

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎01-25-2013

You do not need to configure anything for ftp-data. That is handled by the ASA automatically:

no static (Internal,External) tcp interface ftp-data 192.168.0.69 ftp-data netmask 255.255.255.255

no access-list 100 extended permit tcp any host y.y.y.y eq ftp-data

Have you anything in the log?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

shostackr · ‎01-25-2013

First of all Thanks! So I pulled those commands off.

I am hitting the FTP server behind the firewall as you can see from my first log... It dies on PASV which is why I thought I needed that FTP-Data.

000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 220-FileZilla Server version 0.9.41 beta

(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)

(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 220 Please visit http://sourceforge.net/projects/filezilla/

(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> USER administrator

(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 331 Password required for administrator

(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> PASS *****

(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> 230 Logged on

(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> CWD /

(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> 250 CWD successful. "/" is current directory.

(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> TYPE A

(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> 200 Type set to A

(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> PASV

(000018)1/25/2013 11:48:21 AM - administrator (ip.ip.ip.ip.ip)> 227 Entering Passive Mode (72,90,69,2,10,125)

Here's what the Log shows when I hit the FTP server from the outside...

6

Jan 25 2013

08:48:52

72.90.68.10

39185

72.90.69.2

21

Deny TCP (no connection) from ip.ip.ip.ip/39185 to outsideinterfaceip/21 flags PSH ACK on interface External

Does that help?

Thanks again? Cyclist eh? Nice, that's my latest passion and it will probably send me to the poor house with the amount of times I crash.

Karsten Iwen · ‎01-25-2013

I am hitting the FTP server behind the firewall as you can see from my first log... It dies on PASV which is why I thought I needed that FTP-Data.

ftp-data (tcp/20) is only used with active-mode ...

Do you have any log on the FTP-server?

Cyclist eh?

yes, now waiting for the spring to start cycling this year. Hopefully in March ...

Nice, that's my latest passion and it will probably send me to the poor house with the amount of times I crash

just ride a little bit slower .. ;-)

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

shostackr · ‎01-25-2013

Thanks for the help. I guess i got it with your help. Not sure why, but it seems to be working now..

I removed those two commands you highlighted, that I didn't need then saved. (No change.)

I then pulled out my other commands that I originally put in to get this up (saved the config) and then put them back in minus the ones you highlighted.

access-list 100 extended permit tcp any host y.y.y.y eq ftp

static (Internal,External) tcp interface ftp 192.168.0.69 ftp netmask 255.255.255.255

policy-map global_policy

class inspection_default

inspect ftp

saved it and bam I am up? Maybe it's because I am running the cli from the ASDM and not just telnetting in and running the commands native. That's the only thing I can think of!

Either way thanks for your time!

"Ride a little slower?" Never! What fun would that be? Thanks again! Healthy Happy riding to you!