Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4184
Views
0
Helpful
3
Comments

FTP Port Forwarding in Cisco ASA 8.2(5)

cabelen2004
Level 1
Level 1

‎01-11-2013 11:14 AM - edited ‎03-08-2019 06:47 PM

Hi,

I have the following configuration on a Cisco ASA 8.2(5), all the traffic to the port 5000 and www 80 it's forward throught static NAT but i can't access to a FTP SERVER Windows and FTP Server Linux.  ATtach is the configuration I would like to know what is causing the problems.

The FTP Server Are running locally without any problems, when I try to reach it for the Outside interface then i  can't, this is in the only port i can't forward.

I really appreciate your help.

Thanks

ASA Version 8.2(5)

!

hostname ciscoasa

enable password dAWCvYvyr2FRISo5 encrypted

passwd dAWCvYvyr2FRISo5 encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.4.4

name-server 8.8.8.8

name-server 196.3.81.132

same-security-traffic permit intra-interface

object-group service TEST2 tcp

port-object eq www

port-object eq https

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255

.255.0

access-list 101 extended permit icmp any interface outside echo-reply

access-list 101 extended permit udp any any eq 5000

access-list 101 extended permit udp any any eq ntp

access-list 101 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp

access-list 102 extended permit icmp any interface outside echo-reply

access-list 102 extended permit icmp any interface outside

access-list 102 extended permit ip any host 192.168.1.5

access-list 102 extended permit tcp any host 192.168.1.5 eq 5000

access-list 102 extended permit tcp any interface outside eq 5000

access-list 102 extended permit tcp any host 192.168.1.5 eq https

access-list 102 extended permit tcp any any eq 5000

access-list 102 extended permit ip any host 192.168.1.8

access-list 102 extended permit tcp any any eq telnet

access-list 102 extended permit tcp any interface outside object-group TEST2

access-list 102 extended permit ip any 192.168.1.0 255.255.255.0

access-list 102 extended permit tcp any interface outside eq www

access-list 102 extended permit tcp any interface outside eq ftp

access-list 102 extended permit tcp any interface outside eq ftp-data

access-list 103 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 5000 192.168.1.5 5000 netmask 255.255.255.

255

static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.2

55

static (inside,outside) tcp interface ftp 192.168.1.15 ftp netmask 255.255.255.2

55

static (inside,outside) tcp interface ftp-data 192.168.1.15 ftp-data netmask 255

.255.255.255

access-group 102 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 225.255.255.0 inside

telnet timeout 30

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.10-192.168.1.41 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cabelen password tJPt4MkXkeex6ITZ encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6280485f175c07a73317b7c4a607c370

: end

ciscoasa#

Labels:
0 Helpful
Comments
Michal Garcarz
Cisco Employee
Cisco Employee
‎01-12-2013 07:10 AM

Hello

You have created document instead of discussion. That's why do not expect to see response.

Active FTP will not work, because client from internet send PORT command with it's private IP address telling the server where to connect to.

You would need ftp inspection on client site for tcp/5000 which is not common.

Passive FTP should work fine - but please put ftp inspection for class-map with port tcp/5000.

cabelen2004
Level 1
Level 1
‎01-12-2013 06:34 PM

Hi Michael,

the port 5000 is attach to an IP camera and the port 80 is working for a web server, the only things don't want to foward is the FTP Server.

Michal Garcarz
Cisco Employee
Cisco Employee
‎01-12-2013 10:17 PM

Hi

OK, for default port:

- passive mode should work fine: did you use passive mode ?

- active mode: for that we still could have problem if firewall on client site does not perform ftp inspection on default port (rewriting PORT command from private to public IP)

If you still have problems with passive mode please run wireshark on client and capture tcp/ftp and attach here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents