Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
3
Replies

DMZ in ASA configuration.

itdsmartnet
Level 1
Level 1

‎09-15-2008 10:06 PM - edited ‎03-03-2019 11:33 PM

hi, i have placed my FTP server in DMZ , with its public ip address xx.xx.xx.9, i want my inside clients and outside clients access with the same ip address.My configuration is as follow.

static (DMZ,outside) xx.xx.xx.9 10.5.0.5 netmask 255.255.255.255

static (inside,DMZ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252

static (DMZ,inside) xx.xx.xx.9 10.5.0.5 netmask 255.255.255.255

access-list outside_int extended permit tcp any host xx.xx.xx.9 eq ftp

access-group outside_int in interface outside

Now the problem is that when i upload file from inside or from outside, after uploading 5-10% it gives me error "[9/16/2008 12:05:57 PM] Child transfer failed." i can download from that FTP server.

When i placed that FTP in my local LAN it works fine, it can upload as well as download on local LAN for LAN users.

Please help me in this matter.

Thanks

Labels:
0 Helpful
3 Replies 3

steve_steele
Level 1
Level 1

‎09-16-2008 03:21 AM

If it gets 5 - 10% through the transfer I doubt that NAT or your access-list are any part of the problem.

http://kb.globalscape.com/article.aspx?id=10295 suggests that the error could be to do with the application.

You could try turning on ftp inspection.

HTH

Steve

0 Helpful

itdsmartnet
Level 1
Level 1
In response to steve_steele

‎09-16-2008 10:59 PM

how can i tune ftp inspection.

0 Helpful

satish_zanjurne
Level 4
Level 4
In response to itdsmartnet

‎09-16-2008 11:09 PM

Hi,

To tune FTP inspection to a level , use strict option.

Using the strict option with the inspect ftp command increases the security of protected networks by

preventing web browsers from sending embedded commands in FTP requests.

After you enable the strict option on an interface, FTP inspection enforces the following behavior:

• An FTP command must be acknowledged before the security appliance allows a new command.

• The security appliance drops connections that send embedded commands.

• The 227 and PORT commands are checked to ensure they do not appear in an error string.

If the strict option is enabled, each FTP command and response sequence is tracked for the following

anomalous activity:

• Truncated command-Number of commas in the PORT and PASV reply command is checked to see

if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP

connection is closed.

• Incorrect command-Checks the FTP command to see if it ends with characters, as

required by the RFC. If it does not, the connection is closed.

• Size of RETR and STOR commands-These are checked against a fixed constant. If the size is

greater, then an error message is logged and the connection is closed.

• Command spoofing-The PORT command should always be sent from the client. The TCP

connection is denied if a PORT command is sent from the server.

• Reply spoofing-PASV reply command (227) should always be sent from the server. The TCP

connection is denied if a PASV reply command is sent from the client. This prevents the security

hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”

• TCP stream editing-The security appliance closes the connection if it detects TCP stream editing.

• Invalid port negotiation-The negotiated dynamic port value is checked to see if it is less than 1024.

As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the

negotiated port falls in this range, then the TCP connection is freed.

• Command pipelining-The number of characters present after the port numbers in the PORT and

PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP

connection is closed.

• The security appliance replaces the FTP server response to the SYST command with a series of Xs.

to prevent the server from revealing its system type to FTP clients. To override this default behavior,

use the no mask-syst-reply command in the FTP map.

For additional inspection control..you can use FTP inspection policy map.

HTH...rate if helpfull..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card