The service is working

netguyz08 · ‎09-08-2014

Been running into issues getting access externally to a Windows Sever 2012 FTP server. Have set it up many times in an ASA lately, and found articles saying on a 2811 to allow TCP port 20 and/or turn on inspection.

Below are the main parts from the config on this 2811 which has IOS 12.4. FTP server is still not responding to an Active or Passive FTP connection...

ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.254
!
!
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.25 25 172.16.1.2 25 extendable
ip nat inside source static tcp 192.168.1.12 80 172.16.1.2 80 extendable
ip nat inside source static udp 192.168.1.12 123 172.16.1.2 123 extendable
ip nat inside source static tcp 192.168.1.25 443 172.16.1.2 443 extendable
ip nat inside source static tcp 192.168.1.20 20 172.16.1.4 20 extendable
ip nat inside source static tcp 192.168.1.20 21 172.16.1.4 21 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit udp host 4.2.2.3 eq domain host 172.16.1.1
access-list 102 permit tcp any host 172.16.1.4 eq ftp
access-list 102 permit tcp any host 172.16.1.2 eq 443
access-list 102 permit tcp any host 172.16.1.2 eq www
access-list 102 permit tcp any host 172.16.1.2 eq smtp
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 permit icmp any any
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 deny   tcp any host 192.168.1.1 eq telnet
access-list 103 deny   tcp any host 192.168.1.1 eq 22
access-list 103 deny   tcp any host 192.168.1.1 eq www
access-list 103 deny   tcp any host 192.168.1.1 eq 443
access-list 103 deny   tcp any host 192.168.1.1 eq cmd
access-list 103 deny   udp any host 192.168.1.1 eq snmp
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any

Karsten Iwen · ‎09-08-2014

Your FTP-server is 192.168.1.20 on the inside?
Then you need the inspection configured in the incoming direction:

interface FastEthernet0/1 ip inspect CCP_LOW out

And the following line is not needed:

ip nat inside source static tcp 192.168.1.20 20 172.16.1.4 20 extendable

netguyz08 · ‎09-08-2014

Thanks! I switch the inspection from the interface (was wondering when the Cisco Config Pro was putting it there). And removed static line.

Unfortunately FTP is still not reachable, even when trying to telnet to port 21 directly from the outside.

Karsten Iwen · ‎09-08-2014

How far do you get? If you can login but can't do a directory-listing, then the inspection isn't working yet. If you can't even get to the login-prompt, then I would first double-check if the server is functioning ok (local firewall, service started etc.).

netguyz08 · ‎09-08-2014

The service is working internally, and externally I never get a login prompt or anything else. Tested it from the router though got this:

Cisco 2811# telnet 192.168.1.20 21

Trying 192.168.1.20, 21 ... Open
220 Microsoft FTP Service

[Connection to 192.168.1.20 closed by foreign host]

So I am assuming something is amiss in the inspection or routing still...

Karsten Iwen · ‎09-08-2014

Given the extra information I would also check the basic IP-settings of the FTP-server. Is the default-gateway set correctly?

Walter Astori · ‎09-09-2014

The FTP server is in passive mode ?

2811 Passive FTP to a server