01-28-2010 12:48 PM - edited 03-11-2019 10:02 AM
I just installed an ASA 5510 and got just about everything I needed on it working such as DHCP server, remote client VPN and some public servers accessible that sit on the inside network. I configured everything with ASDM since I am new to Cisco ASA.
Today I discovered that I can't download ftp files from workstations on the inside interface. I have searched a lot and this seems to be a somewhat common issue, but none of the things I have tried will make it work. In general, I have seen that if these commands are in the ASA it should work:
ftp mode passive
policy-map global_policy
class inspection_default
inspect ftp
They are, but it still won't work. Here is an example of a failed ftp session:
brandon-svecs-computer:~ bsvec$ ftp XX.X.249.145
Connected to XX.X.249.145.
220-FileZilla Server version 0.9.23 beta
220 Welcome to NexAira Engineering FTP Site/
Name (XX.X.249.145:bsvec): username
331 Password required for username
Password:
230 Logged on
Remote system type is UNIX.
ftp> bin
200 Type set to I
ftp> get Cbeyond\ ML3.zip
local: Cbeyond ML3.zip remote: Cbeyond ML3.zip
227 Entering Passive Mode (XX,XX,249,145,7,50)
150 Connection accepted
0% | | 0 0.00 KiB/s --:-- ETA
Then it just sits there. One strange thing is that one of these sessions seems to have worked after 15-20 minutes when I forgot about it..
Similarly in windows the ftp download will fail through browser or command line, but on one ocassion a file downloaded 20 minutes later..
I attached my config. Any help is much appreciated.
Thanks,
Brandon
02-13-2010 01:13 PM
There is a server in your network 10.10.10.41 with the following static nat.
static (inside,outside) xx.xx.133.242 10.10.10.41 netmask 255.255.255.255
Try to use this server as your ftp client and see if it works. This may be an issue with NAT but we need captures for the traffic flow on the two interfaces of the ASA.
02-13-2010 04:48 PM
So, this workstation on the inside is able to go out to the internet just fine? Just not able to ftp at times?
What is the gateway of this workstation?
Can you try the same ftp from a workstation that is directly connected to the inside interface sub-net? Make sure the GW is for this workstation is the firewall. If it fails collect wireshark capture on the workstation and review that or post it for us to look at.
-KS
02-13-2010 08:52 PM
Thank you both for the input. I had actually resolved this previously by not using the CSC module. I would like to revisit this some time and make everything work with the CSC active though. Via ASDM these are the lines that I added (then removed) that created my ftp trouble:
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq http
port-object eq pop3
port-object eq smtp
access-list global_mpc_1 line 1 extended permit tcp any any object-group DM_INLINE_TCP_1
class-map global-class
match access-list global_mpc_1
policy-map global_policy
class global-class
csc fail-open
My understanding is that these lines tell the ASA that ftp, http, pop3 and smtp traffic will be scanned by the CSC. Is this correct? Any idea why this would mess up normal ftp client activity?
Thanks in advance,
Brandon
02-14-2010 06:20 AM
I do not see ftp inspection. That is required for the CSC to scan ftp traffic.
Pls. enable ftp inspection and give it a shot.
policy-map global_policy
class global-class
inspect ftp ---------------------> add this
csc fail-open
-KS
02-14-2010 10:46 AM
I do have "inspect ftp" in my config (see attachment to original post). I tried doing it on CLI as you described to be sure and still nothing changed.
When I go to ASDM under configuration > traffic selection for scanning and select the default setting it creates these commands:
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq http
port-object eq pop3
port-object eq smtp
access-list global_mpc_1 line 1 extended permit tcp any any object-group DM_INLINE_TCP_1
class-map global-class
match access-list global_mpc_1
policy-map global_policy
class global-class
Then ftp stops working for me or works intermittently with odd errors. As soon as I remove the above and this config goes back to the ASA, then ftp works again:
policy-map global_policy
no class global-class
no class-map global-class
In my current running config I see this:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
KS, you suggest I put inspect ftp under "class global-class" (which I tried), but my ASDM created config has thisunder "class inspection_default"
Could this mean anything?
Thanks again,
Brandon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide