Solved: Passive FTP/SSL through ASA 5515-X

sam cook · ‎05-30-2018

Hi,

I have an issue with FTP/SSL though my ASA 5515-X.

When connecting using Filezilla to a test server I always got this :

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (195,144,107,198,4,7).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

On my ASA I can not see any ACL filtring and ports 21,990 are authorized. I think it's an issue with FTP over SSL in passive mode.

Any help please ?

sam cook · ‎05-31-2018

Thank you for your help.

I found finally the problem , Passive FTP bounce to use a new random port , so I had to open all dynamic ports toward the SFTP server and now every thing work fine :)

View solution in original post

Florin Barhala · ‎05-30-2018

Couple questions:
- based on the error output why do you think the issue lays pn ASA?
- do you have inspect FTP? Post your policy-map config
- do you have Firepower policies applied also? Entire service policy config can shed some light.

Right of the bat I would try disabling FTP inspect and see how this goes.

sam cook · ‎05-30-2018

Hi Florin,

Thank you for your reply .

Here is my answers :

- based on the error output why do you think the issue lays pn ASA?
==> because without ASA , evrything work fine
- do you have inspect FTP? Post your policy-map config
Yes I inspect FTP

ASA# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map Inside-policy
description QOS-INSIDE
class Inside-class
police input 60000000 30000
police output 60000000 30000
class Inside-class1
police input 30000000 15000
police output 30000000 15000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect ftp
class class-default
user-statistics accounting
policy-map Outside-policy
description QOS-OUTSIDE
class Outside-class
police input 60000000 30000
police output 60000000 30000
class Outside-class1
police input 30000000 15000
police output 30000000 15000
!
ASA#

- do you have Firepower policies applied also? Entire service policy config can shed some light.

No Firepower configuration is used.

I already tried to disable FTP inspection but the same probllem still there.

Florin Barhala · ‎05-31-2018

Ok, how's the NAT config look like for your FTP server?
Actually where're the server and client located in regard to ASA? You have the server or the client behind ASA?

sam cook · ‎05-31-2018

Thank you for your help.

I found finally the problem , Passive FTP bounce to use a new random port , so I had to open all dynamic ports toward the SFTP server and now every thing work fine :)

Florin Barhala · ‎05-31-2018

Good news! Just make sure you mark this as solved ;)