Link to home
Start Free TrialLog in
Avatar of cgxit
cgxit

asked on

ASA 5520 FTP connection issue

We are trying to connect to a customers ftp site thru our local lan which is behind the ASA firewall. it's give connection error.

but when i connect through  DSL line I can connect the the customers ftp site and download without any issues.

can you look into this  what is the issue on ASA firewall.

Here i also give you packet capture information:

Site have problem: (FTP IP: 64.221.8.20)

Packet capture from outside interface:

 1: 02:35:42.425072 208.48.17.4.10699 > 64.221.8.20.21: S 1217836803:1217836803(0) win 65535 <mss 1260,nop,wscale 0,nop,nop,sackOK>
   2: 02:35:42.469915 208.48.17.4.10699 > 64.221.8.20.21: . ack 1279438701 win 65535
   3: 02:36:42.480657 208.48.17.4.10699 > 64.221.8.20.21: R 1217836804:1217836804(0) ack 1279438701 win 0
3 packets shown

Other Ftp site connect without any problem behind ame firewall: (Ftp: 143.166.11.10)


Packet capture from outside interface:.

  1: 02:39:03.032316 208.48.17.4.26428 > 143.166.11.10.21: S 267640837:267640837(0) win 65535 <mss 1260,nop,wscale 0,nop,nop,sackOK>
   2: 02:39:03.063534 208.48.17.4.26428 > 143.166.11.10.21: . ack 1763479480 win 65535
   3: 02:39:03.081676 208.48.17.4.26428 > 143.166.11.10.21: . ack 1763479507 win 65508
3 packets shown
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Does the remote location only allow active FTP sessions?  If so, you will need a rule to allow ftp-data from that IP into your ASA.
Avatar of cgxit
cgxit

ASKER

As per your suggestion, temporary I just allow all traffic from this IP:
access-list perimeter line 4 extended permit ip host 64.221.8.20 any (hitcnt=0)

After that its give same error:
C:\Program Files\Windows Resource Kits\Tools>ftp 64.221.8.20
Connected to 64.221.8.20.
Connection closed by remote host.

And also on access-list there is hit count is 0
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Try an acl more along the lines of:

access-list TEMP extended permit tcp host 64.221.8.20 range 1 65536 A.B.C.D NETMASK log

where A.B.C.D is the public IP or subnet of your outside network.

format as necessary to match an existing acl or, if none exists, apply to outside in interface.
Avatar of cgxit
cgxit

ASKER

I try below access-list but still it's not working. my internal network is 172.16.0.0/16 and outside block is 208.48.17.0/24

access-list perimeter line 4 extended permit tcp host 64.221.8.20 range 1 65535 208.48.17.0 255.255.255.0 log informational interval 300 (hitcnt=0)

access-list perimeter line 4 extended permit tcp host 64.221.8.20 range 1 65535 any log informational interval 300 (hitcnt=0)


Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Do you have an access-list on the private interface that may be blocking ftp?

And, does the ASA have the config commands:
  ftp mode passive
  inspect ftp (under the inspection rules)
Avatar of cgxit
cgxit

ASKER

no there is no access-list on private interface.

On ASA firewall i all ready configure with inspect ftp

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
!
service-policy global_policy global

Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
by default, the unit has "ftp mode passive".  has this been changed?
Avatar of cgxit
cgxit

ASKER

No i never changed.
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Please post any access lists for the outside and inside interfaces.  Thanks.
Avatar of cgxit
cgxit

ASKER

Outside Interface Access-list:

access-list perimeter extended permit tcp host 72.3.241.29 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.41.143 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.41.148 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 209.98.185.0 255.255.255.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.57.100 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 17.0.0.0 255.0.0.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 216.213.80.0 255.255.255.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 68.236.192.171 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 157.209.4.29 host 208.48.17.141 eq ftp
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 eq www
access-list perimeter extended permit tcp object-group NLM-devices host 208.48.17.41 eq smtp
access-list perimeter extended permit tcp host 216.251.100.19 host 208.48.17.83 eq smtp
access-list perimeter extended permit tcp any host 208.48.17.64 eq https
access-list perimeter extended permit tcp object-group xinet-uploader-group host 208.48.17.8 eq www
access-list perimeter extended permit tcp any object-group cgx-pflexweb-206-addresses eq https
access-list perimeter extended permit tcp any host 208.48.17.31 object-group exchangefeports
access-list perimeter extended permit tcp any object-group ftp_access_in range ftp ftp-data
access-list perimeter extended permit tcp any host 146.82.131.199 object-group ftp-secured
access-list perimeter extended permit tcp any host 146.82.131.203 object-group ftp-secured
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision1
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision2
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision3
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision1
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision2
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision3
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq https
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq ssh
access-list perimeter extended permit tcp object-group xinet-uploader-group host 208.48.17.8 eq ssh
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq 3389
access-list perimeter extended permit tcp any host 208.48.17.18 eq 1417
access-list perimeter extended permit udp any host 208.48.17.18 eq 407
access-list perimeter extended permit tcp any host 208.48.17.18 eq 407
access-list perimeter extended permit tcp any host 206.132.103.118 eq ftp
access-list perimeter extended permit tcp any object-group http_access_in eq www
access-list perimeter extended permit tcp any host 208.48.17.41 object-group exchangefeports
access-list perimeter extended permit tcp any object-group https_access_in eq https
access-list perimeter extended permit tcp any host 208.48.17.111 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.164 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.246 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.111 object-group http8081
access-list perimeter extended permit tcp any host 208.48.17.184 object-group https10443
access-list perimeter extended permit tcp any host 208.48.17.85 eq imap4
access-list perimeter extended permit tcp any host 208.48.17.88 eq imap4
access-list perimeter extended permit tcp any host 208.50.123.23 eq imap4
access-list perimeter extended permit tcp any host 208.50.123.4 eq imap4
access-list perimeter extended permit tcp any host 208.48.17.85 eq ldap
access-list perimeter extended permit tcp any host 208.48.17.88 eq smtp
access-list perimeter extended permit tcp any host 208.48.17.88 eq pop3
access-list perimeter extended permit tcp any host 146.82.131.202 object-group nntps
access-list perimeter extended permit tcp any host 146.82.131.194 object-group nntps
access-list perimeter extended permit udp any host 208.48.17.42 eq 3389
access-list perimeter extended permit tcp host 72.3.241.29 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp any host 208.48.17.42 eq 3389
access-list perimeter extended permit tcp host 216.168.41.143 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 216.151.85.0 255.255.255.0 host 208.48.17.243 object-group https10443
access-list perimeter extended permit tcp host 216.168.41.148 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 209.98.185.0 255.255.255.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 216.168.57.100 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 17.0.0.0 255.0.0.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 216.213.80.0 255.255.255.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 68.236.192.171 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 64.148.215.139 host 208.48.17.35 object-group ms-sqlserver
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8234
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8234
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8235
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8235
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp2002
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp2002
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8001
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8001
access-list perimeter extended permit udp any host 208.48.17.66 object-group timbuktu-udp
access-list perimeter extended permit tcp any host 208.48.17.66 object-group premier-208.48.17.149-tcp
access-list perimeter extended permit tcp any host 208.48.17.119 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.48.17.46 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.50.123.64 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt1
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt1-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt2
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt2-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt3
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt3-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt4
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt4-udp
access-list perimeter extended permit tcp any object-group pop3_access_in eq pop3
access-list perimeter extended permit tcp any object-group smtp_access_in eq smtp
access-list perimeter extended permit tcp any host 146.82.131.199 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.173 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.207 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.65 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.79 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.85 eq ssh
access-list perimeter extended permit tcp any host 208.50.123.4 eq ssh
access-list perimeter extended permit tcp any host 208.50.123.5 eq ssh
access-list perimeter extended permit tcp host 17.254.0.68 any object-group radar-mac-client
access-list perimeter extended permit tcp object-group premier-208.48.17.149 host 208.48.17.149 object-group premier-208.48.17.149-tcp
access-list perimeter extended permit udp object-group premier-208.48.17.149 host 208.48.17.149 object-group premier-208.48.17.149-udp
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-imap
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-pop3
access-list perimeter extended permit udp any host 208.48.17.88 object-group ssl-pop3
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-smtp
access-list perimeter extended permit udp any host 208.48.17.88 object-group ssl-smtp
access-list perimeter extended permit tcp any host 208.48.17.176 object-group tcp1604
access-list perimeter extended permit tcp any host 208.48.17.155 object-group tcp19813-14566
access-list perimeter extended permit tcp any host 208.48.17.194 object-group tcp2930
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3000
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3001
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3003
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3005
access-list perimeter extended permit tcp any host 208.48.17.175 object-group tcp3101
access-list perimeter extended permit tcp any host 208.48.17.52 object-group tcp3202
access-list perimeter extended permit tcp any host 208.48.17.183 object-group tcp3268
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp4000
access-list perimeter extended permit tcp any host 208.48.17.89 object-group tcp4489
access-list perimeter extended permit udp any host 208.48.17.89 object-group tcp4489
access-list perimeter extended permit tcp any host 208.48.17.232 object-group tcp4899
access-list perimeter extended permit tcp any host 208.48.17.160 object-group tcp5003
access-list perimeter extended permit tcp any host 208.48.17.45 object-group tcp5003
access-list perimeter extended permit udp any host 208.48.17.160 object-group tcp5003
access-list perimeter extended permit udp any host 208.48.17.45 object-group tcp5003
access-list perimeter extended permit tcp any host 208.48.17.141 object-group tcp5993
access-list perimeter extended permit tcp any host 208.48.17.169 object-group tcp85
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp8800
access-list perimeter extended permit tcp any host 208.48.17.79 object-group tcp9000
access-list perimeter extended permit tcp any host 208.48.17.82 object-group tcp9010
access-list perimeter extended permit tcp any host 208.48.17.86 object-group tcp9010
access-list perimeter extended permit tcp any host 146.82.131.199 object-group tcp989
access-list perimeter extended permit tcp any host 208.48.17.151 object-group tcp-range-9000-9020
access-list perimeter extended permit tcp any host 208.48.17.15 object-group tcp-udp1780-1785
access-list perimeter extended permit tcp any host 208.48.17.132 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.144 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.148 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.157 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.232 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.60 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.88 object-group tcp-udp-587
access-list perimeter extended permit udp any host 208.48.17.15 object-group tcp-udp1780-1785
access-list perimeter extended permit udp any host 208.48.17.132 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.144 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.148 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.157 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.232 object-group tcp-udp-1863
access-list perimeter extended permit tcp any any object-group icverify
access-list perimeter extended permit udp any host 208.48.17.60 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.88 object-group tcp-udp-587
access-list perimeter extended permit tcp any host 208.50.123.231 eq telnet
access-list perimeter extended permit tcp any host 208.48.17.118 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.120 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.121 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.18 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.216 object-group timbuktu
access-list perimeter extended permit udp any host 208.48.17.118 object-group timbuktu-udp
access-list perimeter extended permit udp any host 208.48.17.120 object-group timbuktu-udp


Inside Interface Access- list:

access-list dmz-1 extended permit ip any any



Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
What is in this object group?:

access-list perimeter extended permit tcp any object-group ftp_access_in range ftp ftp-data
Avatar of cgxit
cgxit

ASKER

Some of our FTP servers , which list in this object group
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Is the server that the customer can't connect to listed in this object group?
Avatar of cgxit
cgxit

ASKER

No , problem is our inside user not able to connect outside FTP server.. not all but some of and when i connect this same FTP server without firewall it's work good...
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial