Unable to access FTP server in DMZ from Outside

tadams@astutemedical.com · ‎07-17-2018

We currently have an FTP server setup in our DMZ. I am able to connect to the FTP server on the internal network using WinSCP and a basic ftp (Port 21, no TLS or anything just yet). Apparenly this was working before I came to the company and they attempted to set the FTP server up to use FTP over TLS and everything stopped working, couldn't access it from the inside or the outside. I've been fiddling with it for the last few days and I'm able to now connect internally. When I try to hit the FTP server from the outside, either using an FTP client on my phone or using ftptest.net i get a connection times out error. When i look at the firewall log I get this error:

Routing failed to locate next hop for TCP from outside:136.243.154.86/55606 to DMZ:192.168.1.48/21

Which is better than what I had been getting in the logs which is nothing. Below is my current config on the firewall (sorry for the length, seems like there is a lot of stuff that is in there that could probably be removed, but I'm only 2 weeks in on this job so I'm not sure what all is still needed and what's been left over years of use and abuse)

Hope this is enough information to figure out what the problem is and get it resolved.

Thanks in Advance!!!! I'm fairly new to Cisco Firewalls so please excuse my ignorance =)

: Saved

: 
: Serial Number: JAD201907UJ
: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.6(1) 
!
hostname amserv1
domain-name astutemedical.com
enable password z1facioqg.fzSWVV encrypted
names
name 10.0.0.1 ForefrontUAG description ForefrontUAG
name 192.168.20.20 AMFS1
name 198.105.192.0 Disney_ESPN
name 192.168.1.21 ITUTIL1 description connection to KMS server for windows license
name 10.0.0.128 DMZRule
name 192.234.224.0 Office365
name 204.79.197.215 Office365-2
name 206.191.224.0 Office365-3
name 207.46.4.128 Office365-4
name 207.46.58.128 Office365-5
name 207.46.198.0 Office365-6
name 207.46.203.128 Office365-7
name 213.199.174.0 Office365-8
name 213.199.177.0 Office365-9
name 192.168.1.54 Amdc01
name 192.168.1.55 Amdc02
name 10.0.0.11 dmzapps
dns-guard
ip local pool AstuteRemoteUsers 192.168.253.1-192.168.253.254 mask 255.255.255.0
ip local pool Astute_test_Pool 192.168.252.11-192.168.252.249 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 184.188.52.101 255.255.255.240 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.254.252 255.255.255.0 
!
interface GigabitEthernet1/3
 nameif DMZ
 security-level 50
 ip address ForefrontUAG 255.255.255.0 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
boot system disk0:/asa961-lfbff-k8.SPA
boot system disk0:/asa952-lfbff-k8.SPA
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 216.136.95.2 
 domain-name astutemedical.com
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.253.0
 subnet 192.168.253.0 255.255.255.0
object network obj-192.168.1.46
 host 192.168.1.46
object network obj-192.168.1.46-01
 host 192.168.1.46
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.0.0
object network obj-192.168.0.0-01
 subnet 192.168.0.0 255.255.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network ForefrontUAG
 host 10.0.0.1
object network obj-10.0.0.2
 host 10.0.0.2
object network obj-10.0.0.0
 subnet 10.0.0.0 255.255.255.0
object network obj_any-02
 subnet 0.0.0.0 0.0.0.0
object network obj_any-03
 subnet 0.0.0.0 0.0.0.0
object network obj_any-04
 subnet 0.0.0.0 0.0.0.0
object network ITUTIL1
 host 192.168.1.21
 description Created during name migration
object network NETWORK_OBJ_192.168.252.0_24
 subnet 192.168.252.0 255.255.255.0
object network obj-192.168.252.0_24
 subnet 192.168.252.0 255.255.255.0
object network obj-192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network obj-184.188.52.98
 host 184.188.52.98
object network obj-10.0.0.33
 host 10.0.0.33
object network obj-184.188.52.99
 host 184.188.52.99
object network obj-184.188.52.100
 host 184.188.52.100
object network obj-184.188.52.101
 host 184.188.52.101
object network obj-184.188.52.102
 host 184.188.52.102
object network obj-10.0.0.32
 host 10.0.0.32
object network 192.168.1.48
 host 192.168.1.48
object network DMZ_IN
 host 10.0.0.32
object network DMZ-Network
 subnet 10.0.0.0 255.255.255.0
object network ftp_ext_ip
 host 184.188.52.103
object network ftp_server
 host 184.188.52.103
object network FTPRule
 host 192.168.1.48
object network DMZ_Outside_FTP
 host 192.168.1.48
object network 184.188.52.103
 host 184.188.52.103
object network FTP_NAT_EXT
 host 10.0.0.32
object network obj-184.188.52.103
 host 184.188.52.103
object network FTP_Server_NAT
 host 10.0.0.32
object-group service rdp
 service-object tcp destination eq https 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service SMB_TCP_445 tcp
 description SMB Protocol
 port-object eq 445
object-group service Apple_tcp tcp
 port-object eq 2195
 port-object eq 2196
object-group service AMFS1_Share tcp
 port-object eq 445
 port-object eq www
 port-object eq https
 port-object eq 135
 port-object eq 137
 port-object eq 138
 port-object eq netbios-ssn
 port-object eq telnet
 port-object eq ldap
object-group service amfs1udp udp
 port-object eq 135
 port-object eq 139
 port-object eq 445
 port-object eq netbios-dgm
 port-object eq netbios-ns
 port-object eq 389
object-group service KMS tcp
 description Microsoft Key Management Service
 port-object eq 1688
object-group service DM_INLINE_TCP_3 tcp
 port-object eq 990
 port-object eq ftp
 port-object range 50000 58000
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object udp 
 service-object tcp 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq https
 port-object eq ssh
object-group network DM_INLINE_NETWORK_4
 network-object host 69.90.213.47
 network-object host 72.51.53.5
 network-object host 72.51.53.6
object-group network office-365
 network-object Office365 255.255.255.252
 network-object host Office365-2
 network-object Office365-3 255.255.255.224
 network-object Office365-6 255.255.255.128
 network-object Office365-7 255.255.255.192
 network-object Office365-4 255.255.255.128
 network-object Office365-5 255.255.255.128
 network-object Office365-8 255.255.255.128
 network-object Office365-9 255.255.255.192
object-group service DM_INLINE_TCP_2 tcp
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any interface outside eq smtp log debugging 
access-list outside_access_in extended permit tcp any interface outside eq https log debugging 
access-list VPN1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list outside_access_in_1 extended permit tcp any4 object obj-192.168.1.46 eq https 
access-list outside_access_in_1 extended permit tcp any4 object obj-192.168.1.46 eq smtp 
access-list outside_access_in_1 extended permit tcp any object 192.168.1.48 object-group DM_INLINE_TCP_3 
access-list DMZ_access_in extended permit tcp object ForefrontUAG object ITUTIL1 object-group KMS inactive 
access-list inside_access_in extended permit ip any any 
access-list outside_accces_in_1 extended permit ip any4 object obj-192.168.1.46 
access-list global_mpc extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging buffer-size 9999
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.24 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.252.0_24 obj-192.168.252.0_24 no-proxy-arp route-lookup
nat (inside,DMZ) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.0.0.0 obj-10.0.0.0 no-proxy-arp route-lookup
nat (outside,DMZ) source static any any no-proxy-arp inactive
!
object network obj-192.168.1.46
 nat (inside,outside) static 184.188.52.102
object network obj-192.168.0.0
 nat (inside,outside) dynamic interface
object network ForefrontUAG
 nat (DMZ,outside) static 184.188.52.99
object network obj-10.0.0.2
 nat (DMZ,outside) static 184.188.52.100
object network obj-192.168.252.0_24
 nat (outside,outside) dynamic interface
object network FTPRule
 nat (DMZ,outside) static ftp_server no-proxy-arp service tcp ftp ftp 
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 184.188.52.97 1
route inside 192.168.0.0 255.255.0.0 192.168.254.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server RADIUS-GROUP protocol radius
 reactivation-mode timed
 max-failed-attempts 2
aaa-server RADIUS-GROUP (inside) host Amdc01
 key *****
 radius-common-pw *****
aaa-server RADIUS-GROUP (inside) host Amdc02
 key *****
 radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 management
http 192.168.3.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 68.135.29.18 255.255.255.255 outside
http 192.168.8.0 255.255.255.0 inside
snmp-server host inside 192.168.1.24 poll community *****
no snmp-server location
no snmp-server contact
service sw-reset-button

  quit
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 68.135.29.18 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.8.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

dhcpd auto_config outside
!
ntp server 132.163.96.1 source outside prefer
ssl trust-point ASDM_TrustPoint1 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-4.2.04018-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.2.04018-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.20
 dns-server value 192.168.1.20
 split-dns value astute.local
group-policy GroupPolicy_AnyConnectUser internal
group-policy GroupPolicy_AnyConnectUser attributes
 wins-server value 192.168.1.20
 dns-server value 192.168.1.20
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 default-domain value astutemedical.local
 address-pools value Astute_test_Pool
dynamic-access-policy-record DfltAccessPolicy
username csieler password v1IBIxp4W8Ev6UY5 encrypted privilege 15
username csieler attributes
 service-type admin
username cisco password Xv1wtWbDTVSOmA2n encrypted privilege 15
username cisco attributes
 service-type admin
username nexus password e6T8Qh2NsEa9pzSM encrypted privilege 15
username nexus attributes
 service-type admin
tunnel-group AnyConnectUser type remote-access
tunnel-group AnyConnectUser general-attributes
 address-pool Astute_test_Pool
 authentication-server-group RADIUS-GROUP
 default-group-policy GroupPolicy_AnyConnectUser
tunnel-group AnyConnectUser webvpn-attributes
 group-alias AnyConnectUser enable
!
class-map netflow-export-class
class-map global-class
class-map inspection_default
 match default-inspection-traffic
class-map global-class1
 match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 description Flow_Export_Policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class global-class
 class global-class1
  flow-export event-type all destination 192.168.1.24
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:3abbf949c79d093c7e064c5d95a25bef
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

Dennis Mink · ‎07-17-2018

whats the IP of the ftp server and where are you connecting from?

have you run packet tracer tool to simulate traffic and how is it treated?

cheers

Please remember to rate useful posts, by clicking on the stars below.

Pravin Raj Kanagaraj · ‎07-18-2018

Let me know the ip of ftp server and add a acl rule for the ftp server from outside allowing ftp related ports.

Regards,
Pravin Raj K
Network Engineer

tadams@astutemedical.com · ‎07-18-2018

The server has 2 NIC's enabled. One (the DMZ interface) is 10.0.0.32 and the other (inside) is 192.168.1.48.

I've just tried connecting on my laptop using my phone as a hot spot to get me outside of the network.

tadams@astutemedical.com · ‎08-01-2018

I've run a packet tracer from an external IP to the DMZ Ip and everything checks out OK and the packet is allowed, but i'm still unable to access the FTP server from the outside.