Solved

FTP settings on a CISCO ASA 5510 -issues with Passive mode

Posted on 2006-07-10
4
12,452 Views
Last Modified: 2012-06-27
Background :  Cisco 5510 configured to allow all FTP(ports 20 and 21) to forward to a server in a dmz.  When tested port forwarding works fine.  Can log into the server but "browsing" fails.(command line works completely fine)  FTP server (make is Ability) is set to allow PASV on ports 1024 to 5000.  The Cisco 5510 has a setting for FTP to be in Passive Mode.  But when remote brower has internet option set to allow Passive mode, you cannot browse the files.  Remove the passive mode and it works.  I am assuming the 5510 is causing the problem even though the setting for FTP is set to passive I am assuming there are some other rules I need to set to further enable it beyond the ports 20 and 21 forwarding.  All suggestions appreciated.(servers and remote machines all Windows based using IE)
0
Comment
Question by:drewster999
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17085546
Do you have fixup defined for ftp on your ASA.

>fixup protocol ftp 21

See if you can find this in your config.
0
 
LVL 18

Accepted Solution

by:
decoleur earned 125 total points
ID: 17116095
the asa doesn't use fixup that is a legacy 6.x command... instead it uses inspect. check to see if your asa running config has a firewall policy map with inspect ftp applied to it... in your running config it could look like:


class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy asa_global_fw_policy global

this is from http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml

hope this helps

-t
0
 
LVL 18

Expert Comment

by:decoleur
ID: 17313957
interested
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month5 days, 5 hours left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question