Solved: Unable to access inside ftp server from outside no matter what. - Page 2

seckinozbayraktar · ‎04-26-2013

Hi everyone ,

I ve tried simply everything but I still cant reach my ftp server from my dynamic ip'd outside interface. Any help will be appreciated.

Ps: I know there are some useless access list entries but they do no harm at the moment.. I will clean my access lists once this is done.

I get " Asa does not have a udp server that services the udp request " explanation.

: Saved

:

ASA Version 8.4(2)

!

hostname sshqasa

domain-name sshqdomain

enable password blahblah encrypted

passwd blahblah encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

mac-address blahblah standby blahblah

nameif outside

security-level 0

pppoe client vpdn group sblahblah

ip address pppoe setroute

!

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name sshqdomain

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.10.30.0_28

subnet 10.10.30.0 255.255.255.240

object network SMBA

host 10.10.10.5

object network PS3

host 10.10.10.15

object network FtpNat

host 10.10.10.200

object network ftp-server

host 10.10.10.200

object service FTP

service tcp source eq ftp destination eq ftp

object-group service JabberTCP tcp

port-object eq 5220

port-object range 5222 5223

port-object eq 5298

port-object eq aol

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

object-group service BlizzardDownloader tcp-udp

description Blizzard Downloader Ports

port-object range 1119 1120

port-object eq 3724

port-object eq 4000

port-object range 6112 6114

port-object range 6881 6999

object-group service Starcraft2 tcp-udp

description Starcraft 2 Ports

port-object eq 1119

port-object eq 1120

port-object eq 3724

port-object eq 6113

object-group service Torrent tcp-udp

description Torrent Ports

port-object range 6881 6999

object-group service Skype tcp-udp

description Skype Port for Listening

port-object eq 38887

object-group service PlaystaionSceaPSNUDP udp

port-object eq 10070

port-object range 3478 3479

port-object eq 3658

object-group service PlaystationSceaPSNTCP tcp

port-object range 10070 10080

port-object eq 465

port-object eq 5223

port-object eq 983

object-group service DM_INLINE_TCPUDP_1 tcp-udp

group-object BlizzardDownloader

group-object Starcraft2

object-group service PS3Fifa13 tcp

port-object range 10000 10099

port-object eq 3659

port-object eq 42127

object-group service PS3Fifa13UDP udp

port-object eq 3074

port-object eq 3659

port-object eq 6000

port-object eq 10000

port-object eq 11672

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service biport tcp

port-object range 10100 10311

object-group service ps3fifaport2 tcp

port-object eq 9988

port-object eq 3658

port-object range 8098 9000

object-group service DM_INLINE_TCP_1 tcp

group-object PS3Fifa13

group-object PlaystationSceaPSNTCP

group-object biport

group-object ps3fifaport2

object-group service DM_INLINE_UDP_1 udp

group-object PS3Fifa13UDP

group-object PlaystaionSceaPSNUDP

object-group service DM_INLINE_UDP_2 udp

group-object PS3Fifa13UDP

group-object PlaystaionSceaPSNUDP

object-group service JabberUDP udp

port-object range 16384 16403

port-object eq 5190

port-object range 5297 5298

port-object eq 5353

port-object eq 5678

port-object eq sip

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp6

service-object icmp echo-reply

object-group service DM_INLINE_TCP_4 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_5 tcp

port-object eq ftp

port-object eq ftp-data

access-list inside_access_in extended permit object-group TCPUDP object SMBA any object-group DM_INLINE_TCPUDP_1

access-list inside_access_in extended permit udp object SMBA any object-group JabberUDP

access-list inside_access_in extended permit tcp object SMBA any object-group JabberTCP

access-list inside_access_in extended permit udp object PS3 any object-group DM_INLINE_UDP_1

access-list inside_access_in extended permit udp any object PS3 object-group DM_INLINE_UDP_2

access-list inside_access_in extended permit tcp object PS3 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 10.10.10.0 255.255.255.0 any

access-list inside_access_in extended permit tcp any object FtpNat object-group DM_INLINE_TCP_3

access-list inside_access_in extended permit tcp any any eq ssh

access-list inside_access_in extended permit icmp object PS3 any

access-list inside_access_in extended permit tcp object FtpNat any object-group DM_INLINE_TCP_2

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.10.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any object FtpNat object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any object ftp-server eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

access-list FTPIN extended permit tcp any host 10.10.10.200 object-group DM_INLINE_TCP_4 log

access-list FTPIN extended permit tcp host 10.10.10.200 any object-group DM_INLINE_TCP_5

access-list inside_access_in_1 extended permit tcp any any eq ssh

access-list outside_access_in_1 extended permit tcp any any eq ssh

pager lines 24

logging enable

logging timestamp

logging console alerts

logging trap emergencies

logging asdm warnings

logging ftp-server 10.10.10.200 /admin/ASA5505LOGS asa5505 *****

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 10.10.30.1-10.10.30.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.30.0_28 NETWORK_OBJ_10.10.30.0_28 no-proxy-arp route-lookup

nat (outside,outside) source dynamic NETWORK_OBJ_10.10.30.0_28 interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network FtpNat

nat (inside,outside) static interface service tcp ftp ftp

access-group inside_access_in_1 in interface inside control-plane

access-group inside_access_in in interface inside

access-group outside_access_in_1 in interface outside control-plane

access-group FTPIN in interface outside

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

vpdn group blahblah request dialout pppoe

vpdn group blahblah localname bla@fiber

vpdn group blahblah ppp authentication chap

vpdn username blahblah@fiber password *****

dhcpd lease 1000000

dhcpd auto_config outside

!

dhcpd address 10.10.10.5-10.10.10.30 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd wins 8.8.8.8 8.8.4.4 interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 212.7.1.131 source outside prefer

ntp server 81.27.195.164 source outside prefer

webvpn

group-policy VPNGROUP internal

group-policy VPNGROUP attributes

wins-server value 8.8.8.8 8.8.4.4

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev1

username blahblah password blahblah encrypted

username blahblahba password blahblah encrypted privilege 15

username sblahblahone password 7blahblahzb encrypted privilege 15

tunnel-group VPNGROUP type remote-access

tunnel-group VPNGROUP general-attributes

address-pool VPNPOOL

default-group-policy VPNGROUP

tunnel-group VPNGROUP ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:bc6515067c9e054f0a71feb04d09c00e

: end

Jouni Forss · ‎05-01-2013

Hi,

There is a chance that other NAT configurations override your original FTP NAT configuration.

I would personally avoid using the "any" parameter in NAT configurations. Especially the ones configured with Twice NAT in Section 1 as they will get processed first againt connections coming to the ASA.

- Jouni

seckinozbayraktar · ‎05-01-2013

I have a nat rule for VPN .. what should I change the relevant part to instead of "any"

Jouni Forss · ‎05-01-2013

Just to give an example how I would have configured all the NAT configurations in your setup.

Original NAT configurations

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.30.0_28 NETWORK_OBJ_10.10.30.0_28 no-proxy-arp route-lookup

nat (outside,outside) source dynamic NETWORK_OBJ_10.10.30.0_28 interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network FtpNat

nat (inside,outside) static interface service tcp ftp ftp

New NAT configurations

Default PAT

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

NAT0 For VPN

object network LAN

subnet 10.10.10.0 255.255.255.0

object network VPN-POOL

subnet 10.10.30.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

NAT for FTP

object network FTP

host 10.10.10.200

nat (inside,outside) static interface service tcp 21 21

- Jouni

seckinozbayraktar · ‎05-01-2013

thanks Jouni