[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA not allowing passive ftp?

Posted on 2007-07-25
9
Medium Priority
?
13,170 Views
Last Modified: 2013-11-16
Trying to configure a Cisco ASA 5510 to allow passive FTP and the connections are failing. Bellow is the configuration. How do you allow passive FTP on the ASA?

User Access Verification

Password:
Type help or '?' for a list of available commands.
SPIRIT-ISLANDA-ASA2> en
Password: *****
SPIRIT-ISLANDA-ASA2# sh run
: Saved
:
ASA Version 7.2(1)
!
hostname SPIRIT-ISLANDA-ASA2
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description OUT
 nameif OUT
 security-level 0
 ip address 201.218.218.2 255.255.255.248
!
interface Ethernet0/1
 description IN
 nameif IN
 security-level 100
 ip address 10.10.10.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!            
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.5 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group icmp-type PING
 description Pruebas de Ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
access-list outside_access_in extended permit icmp any host 201.218.218.17 object-group PING
access-list outside_access_in extended permit tcp any host 201.218.218.17 eq telnet
access-list outside_access_in extended permit icmp any host 201.218.218.2 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.18 object-group PING
access-list outside_access_in extended permit tcp any host 201.218.218.18 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.18 eq ssh
access-list outside_access_in extended permit tcp any host 201.218.218.22 eq ssh
access-list outside_access_in extended permit icmp any host 201.218.218.22 object-group PING
access-list outside_access_in extended permit tcp any host 201.218.218.22 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.22 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.22 eq https
access-list outside_access_in extended permit tcp any host 201.218.218.18 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.18 eq https
access-list outside_access_in extended permit tcp any host 201.218.218.17 eq 161
access-list outside_access_in extended permit udp any host 201.218.218.17 eq snmp
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq 3389
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq 3389
access-list outside_access_in extended permit tcp any host 201.218.218.28 eq 3389
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq https
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq https
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq 8443
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq 8443
access-list outside_access_in extended permit icmp any host 201.218.218.26 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.27 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.28 object-group PING
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq www
access-list outside_access_in extended permit udp any host 201.218.218.26 eq domain
access-list outside_access_in extended permit udp any host 201.218.218.27 eq domain
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq domain
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq domain
access-list outside_access_in extended permit icmp any host 201.218.218.41 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.43 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.44 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.45 object-group PING
access-list outside_access_in extended permit icmp any host 201.218.218.42 object-group PING
access-list outside_access_in extended permit tcp any host 201.218.218.43 eq ssh
access-list outside_access_in extended permit tcp any host 201.218.218.44 eq ssh
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq ssh
access-list outside_access_in extended permit icmp any host 201.218.218.46 object-group PING
access-list outside_access_in extended permit tcp any host 201.218.218.46 eq ssh
access-list outside_access_in extended permit tcp any host 201.218.218.43 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.43 eq https
access-list outside_access_in extended permit tcp any host 201.218.218.44 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.46 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.46 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq smtp
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq domain
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq www
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq nntp
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq 2021
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq 1024
access-list outside_access_in extended permit tcp any host 201.218.218.29 eq 65535
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq domain
access-list outside_access_in extended permit udp any host 201.218.218.45 eq domain
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq ssh
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq ssh
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq pop3
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq imap4
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq 993
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq 995
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq smtp
access-list outside_access_in extended permit tcp any host 201.218.218.45 eq 587
access-list outside_access_in extended permit tcp any host 201.218.218.28 eq 81
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq 88
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq ftp-data
access-list outside_access_in extended permit udp any host 201.218.218.26 eq 20
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq 3306
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu OUT 1500
mtu IN 1500
mtu management 1500
no asdm history enable
arp timeout 14400
global (OUT) 1 201.218.218.16 netmask 255.255.255.240
nat (IN) 1 10.10.10.1 255.255.255.255
static (IN,OUT) 201.218.218.0 201.218.218.0 netmask 255.255.255.248
access-group outside_access_in in interface OUT
access-group inside_access_in in interface IN
route OUT 0.0.0.0 0.0.0.0 201.218.218.1 1
route IN 201.218.218.16 255.255.255.240 10.10.10.2 1
route IN 201.218.218.32 255.255.255.240 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:1fe47c45815053a38965c2bc6e8eb9e0
: end        
SPIRIT-ISLANDA-ASA2#  
0
Comment
Question by:ostsupport
  • 5
  • 3
9 Comments
 
LVL 2

Expert Comment

by:xephael
ID: 19568202
Could you please post a log of the FTP session you're attempting to make through the ASA?  Details about if it's inbound or outbound would also be appreciated.
0
 
LVL 2

Expert Comment

by:xephael
ID: 19568226
Also... it looks like you're only allowing ftp-data inbound for a single device.  This would need to be done for all of your FTP servers.
0
 

Author Comment

by:ostsupport
ID: 19568404
This is a shared port firewall and I only want to allow FTP on this one server. Does that answer your 2nd post? On the logs i will post in 1 min.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:ostsupport
ID: 19568833
This is inbound traffic trying to allow FTP connections to the server all i know is Passive FTP connections to  server are failing.
0
 

Author Comment

by:ostsupport
ID: 19569081
Here is the log

**** Normal connection START ****

Connecting to: 201.218.218.26
220 FTP Server ready.
USER xxxxxx
331 Password required for dev.
PASS xxxxxx
230 User dev logged in.
TYPE I
200 Type set to I
STRU F
200 Structure set to F.
MODE S
200 Mode set to S.
REST 0
350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer REST 1 350 Restarting at 1. Send STORE or RETRIEVE to initiate transfer REST 0 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer CWD
501 Invalid number of arguments.
TYPE A
200 Type set to A
PORT 192,168,1,117,12,122
200 PORT command successful
LIST -la
150 Opening ASCII mode data connection for file list
226 Transfer complete.

**** Normal connection END ****

**** Passive connection START ****

Connecting to: 201.218.218.26
220 FTP Server ready.
USER xxxxxx
331 Password required for dev.
PASS xxxxxx
230 User dev logged in.
TYPE I
200 Type set to I
STRU F
200 Structure set to F.
MODE S
200 Mode set to S.
REST 0
350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer REST 1 350 Restarting at 1. Send STORE or RETRIEVE to initiate transfer REST 0 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer CWD
501 Invalid number of arguments.
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (201,218,218,26,128,186).

**** Passive connection END ****
0
 
LVL 2

Accepted Solution

by:
xephael earned 2000 total points
ID: 19569124
Your config is allowing ftp into five hosts: 18,22,26,27,46
Your config is only allowing ftp-data for one host: 26

access-list outside_access_in extended permit tcp any host 201.218.218.46 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.27 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.26 eq ftp-data
access-list outside_access_in extended permit tcp any host 201.218.218.22 eq ftp
access-list outside_access_in extended permit tcp any host 201.218.218.18 eq ftp

All in all I'm completely confused by the purpose of your firewall since there doesn't appear any NAT translation between the public IP's and generally what would be your internal private IP's.

For example, maybe 10.10.10.130 is mapped to the public IP of 201.218.218.26, and the firewall ACL's allow various traffic to pass from your public IP's to your private IP's.



0
 
LVL 2

Expert Comment

by:xephael
ID: 19569163
Oh thanks for the FTP logs....

Try: no fixup protocol ftp

Let me know what happens
0
 

Expert Comment

by:jsabrown
ID: 22186200
Aren't fixup commands defunct w/ ASA?  
0
 
LVL 2

Expert Comment

by:xephael
ID: 22189983
" Aren't fixup commands defunct w/ ASA?" -- jsabrown

Not at all... Although by default they're disabled.  
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month17 days, 14 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question