Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
1
Replies

Our ASA is blocking FileZilla.

JBrav0
Level 1
Level 1

‎06-17-2022 09:07 AM

There is a server on our environment that's running FileZilla and the way we have the rule set up using FMC is 

Set up:

Objects: 

- Public IP, Private IP.

- Ports that were asked to be opened. 

NAT Rule: For the public IP to the Private IP 

Initial Access Control Policy: 

-Zone: SC: Internet, Destination: Lan

Network: 

- SC: Any, Destination: Private IP 

VLAN Tags, Users, Applications: Set to any. 

Ports: SC: Any, Dest: the objects selected from when I created the ports. 

URLS and SGT/ISE: any. 

 

Issue

When someone tries to connect to the server they can get to the port, but TLS connection cant be authenticated so it closes the connection. Not sure what's going on. 

 

Attempts to resolve. 

I tried to allow any port to go through, anyone in the internet can go through.

Device Firewall has inbound and outbound ports allowed access. 

in the Initial access control policy, I changed it from

SC: Any, Destination: Private IP  to  SC: Any, Destination: public IP. 

 

Temp solution: 

What seems to work at the moment is when I set up the rule action from  Allowed to Trust it let the connection through and TLS authentication was a success, files can be transferred etc. Now if I understand correctly Trust doesn't monitor and basically allowed anything just to go through. Not sure if I want that. 

 

Does anyone know why it's having this issue? The ASA isn't super configured so it can be assumed that it's a brand new ASA with very little configuration. 

0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎06-19-2022 02:37 PM

What are you using to transfer files? (FTP,SCP, sFTP, etc.)

So, Trust means just that you will bypass the SNORT process so the rule only acts as a regular ASA access-list rule. However, if you do have something in the rule that requires SNORT to process it and make a verdict on it, then the packet will be sent to SNORT even though you have it configured as trust.  an example of this would be if you are using Application instead of, or as well as Port, then the packet will be sent to SNORT for processing Application.  If you also have IPS configured for that rule then IPS will also be processed.  The only way to truely circumvent SNORT is to either not configure anything that would require SNORT to process the packet or to configure the rule in pre-filter.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card