FTP not working from Internal Network

imanco671 · ‎11-30-2011

Hello Community,

I just joined a new company and want do not understand why internal users cannot access an outside FTP site.

I can establish a connection but it will not list the directories.

I have tested other FTP sites to connect to and all works fine. I have also tested this FTP site from home and is working properly.

I am running an ASA and below are my commands from my running config:

Cisco Adaptive Security Appliance Software Version 8.2(1)

access-list outbound extended permit gre any any

access-list outbound extended permit tcp any any eq pptp

access-list outbound extended permit ip any any

I have no experience with policy maps, but here is the map secion of my Show Run:

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

I dont know what to look for other than that my ANY to ANY is allowing all IP

Thanks in advance!

Richard Burts · ‎11-30-2011

John

Does the access list outbound really contain only three statements, and all of them are permits?

Am I understanding your post correctly that users can run FTP with other sites but just not with this one? In that case I would suspect some issue with that site and not so much an issue on your ASA.

HTH

Rick

HTH

Rick

imanco671 · ‎11-30-2011

Hi Rick,

Thanks for the quick response.

Yes the access list outbound is small and there are only permits.

Well it is strange, I am able to access other FTP sites via DOs or filezilla.

This particular FTP does not allow to access directories. but it does connect, just cannot show the directories. So there is something going on with FTP data that I do not understand.

I am able to access this particular FTP from another network and from home, so I narrowed it down to my ASA network.

John

Richard Burts · ‎11-30-2011

John

This is quite strange. If you can access that FTP site from another network and from home and have full functionality then it certainly sounds like there is something interacting with your particular site and its ASA. But I do not see anything in the parts of the config that you posted that would explain this.

When you connect to this site from your network where there is a problem, if it will not do the dir command, then I wonder what it does with other control commands such as pwd or cd? Can you print your working directory or change directory to some other directory?

HTH

Rick

HTH

Rick

imanco671 · ‎11-30-2011

Hi RIck,

Yes it it quite strange and thank-you for not bailing on me.

I can change the directoy, but then I try to do a LS command, then it just hangs. It also says to consider using PASV, which I have tried but no success.

Here is my DOS FTP commands:

C:\Users\imanco>ftp 50.19.100.147

Connected to 50.19.100.147.

220 (vsFTPd 2.0.5)

User (50.19.100.147:(none)): b2bdev

331 Please specify the password.

Password:

230 Login successful.

ftp> pwd

257 "/"

ftp> cd

Remote directory /

250 Directory successfully changed.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

John

Richard Burts · ‎11-30-2011

John

This is quite odd

What happens if you try a dir command instead of ls?

I wonder if it might be a problem with MTU?

HTH

Rick

HTH

Rick

imanco671 · ‎11-30-2011

Hi Rick,

It hangs and still says "150 Here comes the directory listing."

I am trying to connect to the Amazon cloud, I know they only allow passive connections.

Could it be not having a ACL in the proper place?

I have also found these other ACLs:

access-list ct-internal_nat0_outbound extended permit ip 192.168.201.0 255.255.255.0 CA 255.255.255.0

access-list ct-internal_nat0_outbound extended permit ip 192.168.201.0 255.255.255.0 jpp-internal-172.xx.0.0 255.240.0.0

access-list ct-internal_nat0_outbound extended permit ip 192.168.201.0 255.255.255.0 irne-ca 255.255.0.0

access-list ct-external_cryptomap_1 extended permit ip 192.168.201.0 255.255.255.0 jpp-internal-172.xx.0.0 255.240.0.0

access-list ct-external_cryptomap_2 extended permit ip 192.168.201.0 255.255.255.0 ire-ca 255.255.0.0

access-list outbound extended permit gre any any

access-list outbound extended permit tcp any any eq pptp

access-list outbound extended permit ip any any

access-list ct-external_cryptomap_3 extended permit ip He-NAT-Pool 255.255.255.248 object-group DM_INLINE_NETWORK_1 log errors

access-list ct-internal_nat_outbound_1 extended permit ip 192.168.201.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 log errors

access-list ct-internal_nat_static_1 extended permit ip host ca-internal-server object-group DM_INLINE_NETWORK_4

access-list ct-external_nat_outbound extended permit ip object-group DM_INLINE_NETWORK_6 host He-Local-CADB1

access-list ct-internal_nat_static extended permit ip host dev-192.168.201.212 host smaxxxx.xxxxls.com

access-list ct-internal_nat_static extended permit ip host qa-192.168.201.213 host smaxx.xxxxls.com

John

Richard Burts · ‎12-03-2011

John

I do not see anything here that explains why this is an issue. So we need to keep looking for something.

In looking around I see some things that say that some versions of the Windows FTP client have problems with or do not support the passive mode (pasv command). Is the version of Windows that you use at home (that does work with this server) perhaps different from the version of Windows used on PCs in the office?

If there are perhaps issues with the Windows FTP client, perhaps we should focus on filezilla access to the FTP server.

HTH

Rick

HTH

Rick