Thanks Julio. I'm still a bit lost on the control channel connection. Here's the policy map:

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

Hello Erick,

Okey let me explain you:

policy-map global_policy

class inspection_default

inspect ftp

You already have that so , what is that saying???

Is basically saying if you receive a FTP packet ( Control-channel packet) inspect that connection if it's allowed by the ASA security checks ( ACLs,NAT,RFP,etc,etc,etc) so you can open the required port ranges without you being forced to create an ACL.

Dinamically,, Do you see the magic now

So in order for us to fix this, here is the information I will need:

1) Are u 100% sure you are running FTP on passive mode?

2) Can you share the NAT rule you did for the FTP server private IP address and Public IP address

3) Can you share the entire packet-tracer result

Regards

Thanks, your explanation was easy to understand. I double checked the settings and confirmed it's running in passive-mode. I copied the output of the packet tracer command and I hope I did it correctly. Prior to installing the ASA I was able to use the FTP server without an issue.

object network SRV_FTP
host 192.168.0.6

object network SRV_FTP

nat (inside,outside) static interface service tcp 1125 ftp

packet-tracer input outside tcp x.x.x.x ftp 192.168.0.6 ftp detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb4bc2d0, priority=1, domain=permit, deny=false
        hits=103874, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_Access_In in interface outside
access-list Outside_Access_In extended permit tcp any any eq ftp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb508bb0, priority=13, domain=permit, deny=false
        hits=0, user_data=0xc9619000, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb4c01c8, priority=0, domain=inspect-ip-options, deny=true
        hits=1497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcbd7b4e8, priority=70, domain=inspect-ftp, deny=false
        hits=1, user_data=0xcbd7ade8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcbf93b18, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=17, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb49c078, priority=0, domain=host-limit, deny=false
        hits=14, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network 0.0.0.0
nat (inside,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbf83a58, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xcb5055a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

packet-tracer input outside tcp x.x.x.x  ftp-data 192.168.0.6 ftp-data

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_Access_In in interface outside
access-list Outside_Access_In extended permit tcp any any eq ftp-data
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network 0.0.0.0
nat (inside,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hello

object network SRV_FTP
host 192.168.0.6

object network SRV_FTP

nat (inside,outside) static interface service tcp 1125 ftp

So, SRV_FTP is the internal IP address of the FTP server

What is that 1125 service used on the NAT statement?

do the following:

object service ftp_1

service tcp source eq 21

nat (inside,outside) 1 source static SRV_FTP interface service ftp_1 ftp_1

Then give it a try

packet-tracer input outside tcp 4.2.2.2 1025 Outside_ASA_IP_ADDRESS 21

Regards

I have the FTP server running on port 1125. So essentially I'm forwarding port 21 to 1125. After adding the nat (inside,outside) 1 source static SRV_FTP interface service ftp_1 ftp_1 statement the FTP wouldn't connect anymore. After removing the statement I was able to connect. Here is also the log from the FTP client. Thanks!

ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 192.168.1.9 21

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SRV_FTP
nat (inside,outside) static interface service tcp 1125 ftp
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.9/21 to 192.168.0.6/1125

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_Access_In in interface outside
access-list Outside_Access_In extended permit tcp any any eq 1125
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SRV_FTP
nat (inside,outside) static interface service tcp 1125 ftp
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3210, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Hello Eric,

Port 1025,

Got it

Use the nat you had there as that is what you need ( Did not read you were using port 1025)

So is it working now?

It's still failing on listing   Surprisely, listing, uploading, and downloading work through command prompt.

Hello Eric,

So everything works except the listing... Uploading and downloading works just fine...

We can see that the inspection is there, the NAT is properly setup, ACL's are good.

Then we will need to run captures to see what happens when you do  a list request

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Can you create a capture on both inside and outside interface  matching this traffic ( as specific as possible) so we can see what happens here,

Regards,

Sorry if I wasn't clear on the issue. With the FTP client, it doesn't work because the first thing it tries to do is list the directory contents upon connecting and it disconnects after the list command fails. Doing FTP through command prompt results in no issues which is odd.

Hello Eric,

Then it could be an application problem,

Can you do the captures first with the FTP client..?

The FTP server worked before putting the ASA in. I took logs from the bulletproof server unfortunately they are not in-depth and also I tried a different FTP client and got a little more information on the port it's trying to connect to. Also, is this normal for the FTP policy map?

ciscoasa(config)# show run policy-map type inspect ftp
!
!

From BulletProof FTP server application:

2013-03-28 09:06:34 - Eric [000043] [outside IP] - 227 Entering Passive Mode (x,x,x,x,117,144)

2013-03-28 09:06:34 - Eric [000043] [outside IP] - LIST

2013-03-28 09:07:05 - Eric [000043] [outside IP] - ABOR

2013-03-28 09:07:05 - Eric [000043] [outside IP] - 426 Cannot retrieve. Failed. Aborting

2013-03-28 09:07:05 - Eric [000043] [outside IP] - 226 ABOR command successful.

2013-03-28 09:07:09 - Eric [000043] [outside IP] - QUIT

2013-03-28 09:07:09 - Eric [000043] [outside IP] - 221 Goodbye.

2013-03-28 09:07:09 - Eric [000043] [outside IP] - INFO: user disconnected gracefully. (00:00:36)

From CoreFTP client:
Connect socket #924 to x.x.x.x, port 21...
220 Eric's File Server 
331 Password required for eric.
230 User Eric logged in.
215 UNIX Type: L8
Keep alive off...
257 "/" is current directory.
227 Entering Passive Mode (x,x,x,x,117,144)
LIST 
Connect socket #964 to x.x.x.x, port 30096...
timeout
426 Cannot retrieve. Failed. Aborting 
226 ABOR command successful. 
221 Goodbye.

Hello Eric,

In order to proceed with this we will need the captures I have requested,

That will let us know what is going on