How to enable FTP in management port of an ASA 5525X?

blue phoenix · ‎09-11-2015

Hi all,
I can ping the management port of my ASA from my PC (remote VPN to the client), all other ports are in shutdown (pre-prod stage)
I can't ping however from ASA to my PC that is now a vpn client of the remote client I am working on.

Global policy below:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
* As you can see icmp and ftp are allowed

Management has the same security level as the inside (100)
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

ip verify reverse-path interface management

What is missing in my config in order for ping to work from my ASA and as well make ftp work so I can transfer new packages from my PC to my ASA?

Please let me know what else you need for me to capture....

Marvin Rhoads · ‎09-11-2015

Your inspection policies have nothing to do with allowing or preventing access.

Traffic cannot flow through the ASA to the management port. That is prevented by design.

If all ports are shutdown except management then you should be able to access management directly from whatever network it is connected to. If you're on a remote network, you simply need to have a route defined and bound to management and allow the ssh or http from that network for cli and ASDM access respectively.

blue phoenix · ‎09-11-2015

Thanks,

I have access to the management port, the management port is routable in the network for Inside and vpn users. The ASA I am configuring is in it's staging status and not yet in production.

So I don't know if I am doing this right or wrong since by default if the IP is routable and reachable you can ftp into it right if in the global policy it is allowed?

I tried to also configure an access-list permitting any any to the inbound of the management. And binded that to an access-group in the management interface as well... No joy....

So what you are saying is that by default and design, management port is just purely for management and can't be used for transferring files to and from?

Marvin Rhoads · ‎09-11-2015

I noted that you cannot access the management interface THROUGH the ASA. If you're connecting directly TO the management address, then it works fine.

The global policy and inspect rules it references have nothing to do with management traffic, ftp or otherwise.

To copy files onto the ASA you can use ftp (ASA is the ftp client so you need to initiate from the ASA - not "ftp into it"), scp, tftp or http. HTTP(s) is the method used when we transfer via ASDM.

In any of those cases we need to allow ssh (for the cli-based methods) or http (for ASDM) from your client address or network in the ASA configuration. The commands look something like:

ssh 192.168.1.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 management

( of course substituting your network and netmask)

blue phoenix · ‎09-15-2015

@Marvin Rhoads,

Hi, do you mean that I can transfer files from my PC (tftp/ftp server) to the ASA via the managament port or not?

thanks,

Marvin Rhoads · ‎09-15-2015

Yes you can. I do it all the time.

You just need to run the

copy tftp://<your pc address>/<file name> disk0:/

... command (or with ftp and username / password for ftp) on the ASA.

The feature has been available since the ASA was known as a Pix.

blue phoenix · ‎09-16-2015

Hi,

That is what is bothering me... I tried the usual copy ftp: disk:0
Asked me of the remote IP:
Asked me of the name of the file:
Asked me of the name for the destination file:

I tried this command as well:

copy ftp://192.168.80.239/C:\Users\rbilan\Downloads\ASA disk0:

still permission denied, do I need the complete syntax to work as below?

copy ftp://192.168.80.239/C:\Users\rbilan\Downloads\ASA disk0:/

Also if the copying of files has been around since the PIX, could you point me to a link that explains the step by step procedure for this using the management port? Sorry can't seem to find any link for 9.1.2

Marvin Rhoads · ‎09-16-2015

Your copy ftp syntax is incorrect.

The ftp server software on your PC should have an option to set the home directory of the configured ftp username. For instance, set it to "C:\Users\rbilan\Downloads\ASA" in the ftp server software configuration. Once that is done, any remote ftp operation uses that as the starting point to look for the remote file.

So if you do that and want to copy the file "asa915-k8.bin" onto your ASA from that home directory, you would simply use:

copy ftp://192.168.80.239/asa915-k8.bin disk0:

You can optionally include the username and password in the copy command as follows (substituting your values):

copy ftp://username:password@192.168.80.239/asa915-k8.bin disk0:

The copy command syntax is covered in the ASA command reference.