01-08-2013 10:29 PM - edited 03-11-2019 05:44 PM
Our structure is internet---Router----ASA-----TMG----FTP server, I try to publish ftp service to public, I did nat in router and created access-list in both router and ASA to allow ftp traffic pass through, and I configured inspect ftp in ASA, but I can't see traffic reach TMG, any one can help is appreciated!
Router configuration for ftp:
ip nat inside source static tcp 192.168.xxx.xx 20 xxx.xxx.xxx.xxx 20 extendable
ip nat inside source static tcp 192.168.xxx.xx 21 xxx.xxx.xxx.xxx 21 extendable
ASA configuration for ftp:
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list 102 extended permit tcp any host 192.168.xxx.xx object-group DM_INLINE_TCP_1
policy-map global_policy
class inspection_default
inspect ftp
Rgs!
Zhentian
01-08-2013 11:15 PM
Probably the problem is that in ftp passive mode it's random port used for data channel, not tcp port 20. I think the range is 30000-35000/tcp. So you should modify your nat and access rules on router accrodingly.
01-08-2013 11:20 PM
Hi,
The command "ftp mode passive" only relates to how the ASA operates when you use FTP to transfer files with ASA. It doesnt affect the FTP connections going through it.
Since you say you dont see anything of the FTP Connection on the TMG I would suggest going through the Router and ASA configurations through once more and check ASA logs while someone is attempting FTP connections.
- Jouni
01-08-2013 11:33 PM
I can see the counter increased when I try ftp fron outside:
ASA# sh service-policy inspect ftp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 3385, lock fail 0, drop 0, reset-drop 0
any other command can be used to get usful output info?
01-08-2013 11:36 PM
Hi,
But would be better to get the actual log messages of the connection you are attempting as the above output could be about any other FTP connection.
You can also issue "packet-tracer" command on the ASA to see what would happen to the FTP connection regarding firewall rules.
packet-tracer input
- Jouni
01-08-2013 11:46 PM
Thanks Jouni!
I tested it with packet tracer in asdm, it show both outside and inside interface allow packet password through.
here is output from packet-tracer command:
ASA# packet-tracer input outside tcp 125.177.177.222 5915 XXX.XXX.XXX.XX 21
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in XXX.XXX.XXX.XX 255.255.254.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 102 in interface outside
access-list 102 extended permit tcp any host XXX.XXX.XXX.XX object-group DM_INLINE_TCP_1
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1330160, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-09-2013 12:14 AM
Hi,
So seems to me the firewall rules are fine regarding the FTP Control connection (TCP/21)
Next would be good to monitor a connection attempt through the ADSM Monitor/Logging. (Logging level atleast informational)
Look for the "Built" and "Teardown" messages of a single FTP connection attempt and see if you could copy paste the "Teardown" log message for the TCP connection attempt here on the forums.
Provided you see the connection attempt on the ASA logs ofcourse.
- Jouni
01-09-2013 12:25 AM
I can see log from asdm like below:
6 Jan 09 2013 09:19:17 125.177.177.222 1978 XXX.XXX.XXX.XX 21 Teardown TCP connection 1343807 for outside:125.177.177.222/1978 to inside:XXX.XXX.XXX.XX/21 duration 0:00:30 bytes 0 SYN Timeout
6 Jan 09 2013 09:19:13 125.77.177.222 1980 XXX.XXX.XXX.XX 21 Built inbound TCP connection 1344013 for outside:125.177.177.222/1980 (125.177.177.222/1980) to inside:XXX.XXX.XXX.XX/21 (XXX.XXX.XXX.XX/21)
01-09-2013 12:28 AM
Hi,
This basically means that the ASA firewalls seens the SYN of the initial FTP connection attempt from the Internet.
But on the other hand it tells that ASA doesnt see any reply from the actual FTP server behind it.
So it would seem the problem is somewhere behind the ASA since the connection has come through the Router and ASA just fine
- Jouni
06-09-2016 01:42 PM
<deleted>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide