Solved

ASA 5520 FTP connection issue

Posted on 2008-06-26
15
446 Views
Last Modified: 2013-11-16
We are trying to connect to a customers ftp site thru our local lan which is behind the ASA firewall. it's give connection error.

but when i connect through  DSL line I can connect the the customers ftp site and download without any issues.

can you look into this  what is the issue on ASA firewall.

Here i also give you packet capture information:

Site have problem: (FTP IP: 64.221.8.20)

Packet capture from outside interface:

 1: 02:35:42.425072 208.48.17.4.10699 > 64.221.8.20.21: S 1217836803:1217836803(0) win 65535 <mss 1260,nop,wscale 0,nop,nop,sackOK>
   2: 02:35:42.469915 208.48.17.4.10699 > 64.221.8.20.21: . ack 1279438701 win 65535
   3: 02:36:42.480657 208.48.17.4.10699 > 64.221.8.20.21: R 1217836804:1217836804(0) ack 1279438701 win 0
3 packets shown

Other Ftp site connect without any problem behind ame firewall: (Ftp: 143.166.11.10)


Packet capture from outside interface:.

  1: 02:39:03.032316 208.48.17.4.26428 > 143.166.11.10.21: S 267640837:267640837(0) win 65535 <mss 1260,nop,wscale 0,nop,nop,sackOK>
   2: 02:39:03.063534 208.48.17.4.26428 > 143.166.11.10.21: . ack 1763479480 win 65535
   3: 02:39:03.081676 208.48.17.4.26428 > 143.166.11.10.21: . ack 1763479507 win 65508
3 packets shown
0
Comment
Question by:cgxit
  • 8
  • 7
15 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21876099
Does the remote location only allow active FTP sessions?  If so, you will need a rule to allow ftp-data from that IP into your ASA.
0
 

Author Comment

by:cgxit
ID: 21876690
As per your suggestion, temporary I just allow all traffic from this IP:
access-list perimeter line 4 extended permit ip host 64.221.8.20 any (hitcnt=0)

After that its give same error:
C:\Program Files\Windows Resource Kits\Tools>ftp 64.221.8.20
Connected to 64.221.8.20.
Connection closed by remote host.

And also on access-list there is hit count is 0
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21877432
Try an acl more along the lines of:

access-list TEMP extended permit tcp host 64.221.8.20 range 1 65536 A.B.C.D NETMASK log

where A.B.C.D is the public IP or subnet of your outside network.

format as necessary to match an existing acl or, if none exists, apply to outside in interface.
0
 

Author Comment

by:cgxit
ID: 21877548
I try below access-list but still it's not working. my internal network is 172.16.0.0/16 and outside block is 208.48.17.0/24

access-list perimeter line 4 extended permit tcp host 64.221.8.20 range 1 65535 208.48.17.0 255.255.255.0 log informational interval 300 (hitcnt=0)

access-list perimeter line 4 extended permit tcp host 64.221.8.20 range 1 65535 any log informational interval 300 (hitcnt=0)


0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21878098
Do you have an access-list on the private interface that may be blocking ftp?

And, does the ASA have the config commands:
  ftp mode passive
  inspect ftp (under the inspection rules)
0
 

Author Comment

by:cgxit
ID: 21878307
no there is no access-list on private interface.

On ASA firewall i all ready configure with inspect ftp

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
!
service-policy global_policy global

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21878380
by default, the unit has "ftp mode passive".  has this been changed?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:cgxit
ID: 21878627
No i never changed.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21883431
Please post any access lists for the outside and inside interfaces.  Thanks.
0
 

Author Comment

by:cgxit
ID: 21900560
Outside Interface Access-list:

access-list perimeter extended permit tcp host 72.3.241.29 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.41.143 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.41.148 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 209.98.185.0 255.255.255.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.57.100 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 17.0.0.0 255.0.0.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 216.213.80.0 255.255.255.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 68.236.192.171 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 157.209.4.29 host 208.48.17.141 eq ftp
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 eq www
access-list perimeter extended permit tcp object-group NLM-devices host 208.48.17.41 eq smtp
access-list perimeter extended permit tcp host 216.251.100.19 host 208.48.17.83 eq smtp
access-list perimeter extended permit tcp any host 208.48.17.64 eq https
access-list perimeter extended permit tcp object-group xinet-uploader-group host 208.48.17.8 eq www
access-list perimeter extended permit tcp any object-group cgx-pflexweb-206-addresses eq https
access-list perimeter extended permit tcp any host 208.48.17.31 object-group exchangefeports
access-list perimeter extended permit tcp any object-group ftp_access_in range ftp ftp-data
access-list perimeter extended permit tcp any host 146.82.131.199 object-group ftp-secured
access-list perimeter extended permit tcp any host 146.82.131.203 object-group ftp-secured
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision1
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision2
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision3
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision1
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision2
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision3
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq https
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq ssh
access-list perimeter extended permit tcp object-group xinet-uploader-group host 208.48.17.8 eq ssh
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq 3389
access-list perimeter extended permit tcp any host 208.48.17.18 eq 1417
access-list perimeter extended permit udp any host 208.48.17.18 eq 407
access-list perimeter extended permit tcp any host 208.48.17.18 eq 407
access-list perimeter extended permit tcp any host 206.132.103.118 eq ftp
access-list perimeter extended permit tcp any object-group http_access_in eq www
access-list perimeter extended permit tcp any host 208.48.17.41 object-group exchangefeports
access-list perimeter extended permit tcp any object-group https_access_in eq https
access-list perimeter extended permit tcp any host 208.48.17.111 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.164 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.246 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.111 object-group http8081
access-list perimeter extended permit tcp any host 208.48.17.184 object-group https10443
access-list perimeter extended permit tcp any host 208.48.17.85 eq imap4
access-list perimeter extended permit tcp any host 208.48.17.88 eq imap4
access-list perimeter extended permit tcp any host 208.50.123.23 eq imap4
access-list perimeter extended permit tcp any host 208.50.123.4 eq imap4
access-list perimeter extended permit tcp any host 208.48.17.85 eq ldap
access-list perimeter extended permit tcp any host 208.48.17.88 eq smtp
access-list perimeter extended permit tcp any host 208.48.17.88 eq pop3
access-list perimeter extended permit tcp any host 146.82.131.202 object-group nntps
access-list perimeter extended permit tcp any host 146.82.131.194 object-group nntps
access-list perimeter extended permit udp any host 208.48.17.42 eq 3389
access-list perimeter extended permit tcp host 72.3.241.29 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp any host 208.48.17.42 eq 3389
access-list perimeter extended permit tcp host 216.168.41.143 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 216.151.85.0 255.255.255.0 host 208.48.17.243 object-group https10443
access-list perimeter extended permit tcp host 216.168.41.148 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 209.98.185.0 255.255.255.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 216.168.57.100 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 17.0.0.0 255.0.0.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 216.213.80.0 255.255.255.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 68.236.192.171 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 64.148.215.139 host 208.48.17.35 object-group ms-sqlserver
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8234
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8234
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8235
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8235
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp2002
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp2002
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8001
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8001
access-list perimeter extended permit udp any host 208.48.17.66 object-group timbuktu-udp
access-list perimeter extended permit tcp any host 208.48.17.66 object-group premier-208.48.17.149-tcp
access-list perimeter extended permit tcp any host 208.48.17.119 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.48.17.46 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.50.123.64 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt1
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt1-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt2
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt2-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt3
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt3-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt4
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt4-udp
access-list perimeter extended permit tcp any object-group pop3_access_in eq pop3
access-list perimeter extended permit tcp any object-group smtp_access_in eq smtp
access-list perimeter extended permit tcp any host 146.82.131.199 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.173 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.207 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.65 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.79 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.85 eq ssh
access-list perimeter extended permit tcp any host 208.50.123.4 eq ssh
access-list perimeter extended permit tcp any host 208.50.123.5 eq ssh
access-list perimeter extended permit tcp host 17.254.0.68 any object-group radar-mac-client
access-list perimeter extended permit tcp object-group premier-208.48.17.149 host 208.48.17.149 object-group premier-208.48.17.149-tcp
access-list perimeter extended permit udp object-group premier-208.48.17.149 host 208.48.17.149 object-group premier-208.48.17.149-udp
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-imap
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-pop3
access-list perimeter extended permit udp any host 208.48.17.88 object-group ssl-pop3
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-smtp
access-list perimeter extended permit udp any host 208.48.17.88 object-group ssl-smtp
access-list perimeter extended permit tcp any host 208.48.17.176 object-group tcp1604
access-list perimeter extended permit tcp any host 208.48.17.155 object-group tcp19813-14566
access-list perimeter extended permit tcp any host 208.48.17.194 object-group tcp2930
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3000
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3001
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3003
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3005
access-list perimeter extended permit tcp any host 208.48.17.175 object-group tcp3101
access-list perimeter extended permit tcp any host 208.48.17.52 object-group tcp3202
access-list perimeter extended permit tcp any host 208.48.17.183 object-group tcp3268
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp4000
access-list perimeter extended permit tcp any host 208.48.17.89 object-group tcp4489
access-list perimeter extended permit udp any host 208.48.17.89 object-group tcp4489
access-list perimeter extended permit tcp any host 208.48.17.232 object-group tcp4899
access-list perimeter extended permit tcp any host 208.48.17.160 object-group tcp5003
access-list perimeter extended permit tcp any host 208.48.17.45 object-group tcp5003
access-list perimeter extended permit udp any host 208.48.17.160 object-group tcp5003
access-list perimeter extended permit udp any host 208.48.17.45 object-group tcp5003
access-list perimeter extended permit tcp any host 208.48.17.141 object-group tcp5993
access-list perimeter extended permit tcp any host 208.48.17.169 object-group tcp85
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp8800
access-list perimeter extended permit tcp any host 208.48.17.79 object-group tcp9000
access-list perimeter extended permit tcp any host 208.48.17.82 object-group tcp9010
access-list perimeter extended permit tcp any host 208.48.17.86 object-group tcp9010
access-list perimeter extended permit tcp any host 146.82.131.199 object-group tcp989
access-list perimeter extended permit tcp any host 208.48.17.151 object-group tcp-range-9000-9020
access-list perimeter extended permit tcp any host 208.48.17.15 object-group tcp-udp1780-1785
access-list perimeter extended permit tcp any host 208.48.17.132 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.144 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.148 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.157 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.232 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.60 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.88 object-group tcp-udp-587
access-list perimeter extended permit udp any host 208.48.17.15 object-group tcp-udp1780-1785
access-list perimeter extended permit udp any host 208.48.17.132 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.144 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.148 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.157 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.232 object-group tcp-udp-1863
access-list perimeter extended permit tcp any any object-group icverify
access-list perimeter extended permit udp any host 208.48.17.60 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.88 object-group tcp-udp-587
access-list perimeter extended permit tcp any host 208.50.123.231 eq telnet
access-list perimeter extended permit tcp any host 208.48.17.118 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.120 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.121 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.18 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.216 object-group timbuktu
access-list perimeter extended permit udp any host 208.48.17.118 object-group timbuktu-udp
access-list perimeter extended permit udp any host 208.48.17.120 object-group timbuktu-udp


Inside Interface Access- list:

access-list dmz-1 extended permit ip any any



0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21907631
What is in this object group?:

access-list perimeter extended permit tcp any object-group ftp_access_in range ftp ftp-data
0
 

Author Comment

by:cgxit
ID: 22156513
Some of our FTP servers , which list in this object group
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 22160174
Is the server that the customer can't connect to listed in this object group?
0
 

Author Comment

by:cgxit
ID: 22190078
No , problem is our inside user not able to connect outside FTP server.. not all but some of and when i connect this same FTP server without firewall it's work good...
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 22204081
I wonder if this is an active ftp session.

I dont see a line in your perimeter access list showing this IP.  Try adding:

access-list perimeter extended permit tcp host 64.221.8.20 eq 20 any log
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now