Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 460
  • Last Modified:

ASA 5520 FTP connection issue

We are trying to connect to a customers ftp site thru our local lan which is behind the ASA firewall. it's give connection error.

but when i connect through  DSL line I can connect the the customers ftp site and download without any issues.

can you look into this  what is the issue on ASA firewall.

Here i also give you packet capture information:

Site have problem: (FTP IP: 64.221.8.20)

Packet capture from outside interface:

 1: 02:35:42.425072 208.48.17.4.10699 > 64.221.8.20.21: S 1217836803:1217836803(0) win 65535 <mss 1260,nop,wscale 0,nop,nop,sackOK>
   2: 02:35:42.469915 208.48.17.4.10699 > 64.221.8.20.21: . ack 1279438701 win 65535
   3: 02:36:42.480657 208.48.17.4.10699 > 64.221.8.20.21: R 1217836804:1217836804(0) ack 1279438701 win 0
3 packets shown

Other Ftp site connect without any problem behind ame firewall: (Ftp: 143.166.11.10)


Packet capture from outside interface:.

  1: 02:39:03.032316 208.48.17.4.26428 > 143.166.11.10.21: S 267640837:267640837(0) win 65535 <mss 1260,nop,wscale 0,nop,nop,sackOK>
   2: 02:39:03.063534 208.48.17.4.26428 > 143.166.11.10.21: . ack 1763479480 win 65535
   3: 02:39:03.081676 208.48.17.4.26428 > 143.166.11.10.21: . ack 1763479507 win 65508
3 packets shown
0
cgxit
Asked:
cgxit
  • 8
  • 7
1 Solution
 
Jan SpringerCommented:
Does the remote location only allow active FTP sessions?  If so, you will need a rule to allow ftp-data from that IP into your ASA.
0
 
cgxitAuthor Commented:
As per your suggestion, temporary I just allow all traffic from this IP:
access-list perimeter line 4 extended permit ip host 64.221.8.20 any (hitcnt=0)

After that its give same error:
C:\Program Files\Windows Resource Kits\Tools>ftp 64.221.8.20
Connected to 64.221.8.20.
Connection closed by remote host.

And also on access-list there is hit count is 0
0
 
Jan SpringerCommented:
Try an acl more along the lines of:

access-list TEMP extended permit tcp host 64.221.8.20 range 1 65536 A.B.C.D NETMASK log

where A.B.C.D is the public IP or subnet of your outside network.

format as necessary to match an existing acl or, if none exists, apply to outside in interface.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
cgxitAuthor Commented:
I try below access-list but still it's not working. my internal network is 172.16.0.0/16 and outside block is 208.48.17.0/24

access-list perimeter line 4 extended permit tcp host 64.221.8.20 range 1 65535 208.48.17.0 255.255.255.0 log informational interval 300 (hitcnt=0)

access-list perimeter line 4 extended permit tcp host 64.221.8.20 range 1 65535 any log informational interval 300 (hitcnt=0)


0
 
Jan SpringerCommented:
Do you have an access-list on the private interface that may be blocking ftp?

And, does the ASA have the config commands:
  ftp mode passive
  inspect ftp (under the inspection rules)
0
 
cgxitAuthor Commented:
no there is no access-list on private interface.

On ASA firewall i all ready configure with inspect ftp

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
!
service-policy global_policy global

0
 
Jan SpringerCommented:
by default, the unit has "ftp mode passive".  has this been changed?
0
 
cgxitAuthor Commented:
No i never changed.
0
 
Jan SpringerCommented:
Please post any access lists for the outside and inside interfaces.  Thanks.
0
 
cgxitAuthor Commented:
Outside Interface Access-list:

access-list perimeter extended permit tcp host 72.3.241.29 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.41.143 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.41.148 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 209.98.185.0 255.255.255.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 216.168.57.100 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 17.0.0.0 255.0.0.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp 216.213.80.0 255.255.255.0 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 68.236.192.171 host 146.82.131.201 eq www
access-list perimeter extended permit tcp host 157.209.4.29 host 208.48.17.141 eq ftp
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 eq www
access-list perimeter extended permit tcp object-group NLM-devices host 208.48.17.41 eq smtp
access-list perimeter extended permit tcp host 216.251.100.19 host 208.48.17.83 eq smtp
access-list perimeter extended permit tcp any host 208.48.17.64 eq https
access-list perimeter extended permit tcp object-group xinet-uploader-group host 208.48.17.8 eq www
access-list perimeter extended permit tcp any object-group cgx-pflexweb-206-addresses eq https
access-list perimeter extended permit tcp any host 208.48.17.31 object-group exchangefeports
access-list perimeter extended permit tcp any object-group ftp_access_in range ftp ftp-data
access-list perimeter extended permit tcp any host 146.82.131.199 object-group ftp-secured
access-list perimeter extended permit tcp any host 146.82.131.203 object-group ftp-secured
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision1
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision2
access-list perimeter extended permit tcp any host 208.48.17.28 object-group geovision3
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision1
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision2
access-list perimeter extended permit udp any host 208.48.17.28 object-group geovision3
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq https
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq ssh
access-list perimeter extended permit tcp object-group xinet-uploader-group host 208.48.17.8 eq ssh
access-list perimeter extended permit tcp object-group gm-assetdelivery-hennegen host 208.48.17.91 eq 3389
access-list perimeter extended permit tcp any host 208.48.17.18 eq 1417
access-list perimeter extended permit udp any host 208.48.17.18 eq 407
access-list perimeter extended permit tcp any host 208.48.17.18 eq 407
access-list perimeter extended permit tcp any host 206.132.103.118 eq ftp
access-list perimeter extended permit tcp any object-group http_access_in eq www
access-list perimeter extended permit tcp any host 208.48.17.41 object-group exchangefeports
access-list perimeter extended permit tcp any object-group https_access_in eq https
access-list perimeter extended permit tcp any host 208.48.17.111 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.164 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.246 object-group http8080
access-list perimeter extended permit tcp any host 208.48.17.111 object-group http8081
access-list perimeter extended permit tcp any host 208.48.17.184 object-group https10443
access-list perimeter extended permit tcp any host 208.48.17.85 eq imap4
access-list perimeter extended permit tcp any host 208.48.17.88 eq imap4
access-list perimeter extended permit tcp any host 208.50.123.23 eq imap4
access-list perimeter extended permit tcp any host 208.50.123.4 eq imap4
access-list perimeter extended permit tcp any host 208.48.17.85 eq ldap
access-list perimeter extended permit tcp any host 208.48.17.88 eq smtp
access-list perimeter extended permit tcp any host 208.48.17.88 eq pop3
access-list perimeter extended permit tcp any host 146.82.131.202 object-group nntps
access-list perimeter extended permit tcp any host 146.82.131.194 object-group nntps
access-list perimeter extended permit udp any host 208.48.17.42 eq 3389
access-list perimeter extended permit tcp host 72.3.241.29 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp any host 208.48.17.42 eq 3389
access-list perimeter extended permit tcp host 216.168.41.143 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 216.151.85.0 255.255.255.0 host 208.48.17.243 object-group https10443
access-list perimeter extended permit tcp host 216.168.41.148 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 209.98.185.0 255.255.255.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 216.168.57.100 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 17.0.0.0 255.0.0.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp 216.213.80.0 255.255.255.0 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 68.236.192.171 host 146.82.131.201 object-group port-9200-9300
access-list perimeter extended permit tcp host 64.148.215.139 host 208.48.17.35 object-group ms-sqlserver
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8234
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8234
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8235
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8235
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp2002
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp2002
access-list perimeter extended permit tcp host 24.249.242.122 host 208.48.17.143 object-group tcp8001
access-list perimeter extended permit tcp host 64.171.214.238 host 208.48.17.143 object-group tcp8001
access-list perimeter extended permit udp any host 208.48.17.66 object-group timbuktu-udp
access-list perimeter extended permit tcp any host 208.48.17.66 object-group premier-208.48.17.149-tcp
access-list perimeter extended permit tcp any host 208.48.17.119 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.48.17.46 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.50.123.64 eq pcanywhere-data
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt1
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt1-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt2
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt2-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt3
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt3-udp
access-list perimeter extended permit tcp any host 208.48.17.15 object-group pcanywhere-alt4
access-list perimeter extended permit udp any host 208.48.17.15 object-group pcanywhere-alt4-udp
access-list perimeter extended permit tcp any object-group pop3_access_in eq pop3
access-list perimeter extended permit tcp any object-group smtp_access_in eq smtp
access-list perimeter extended permit tcp any host 146.82.131.199 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.173 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.207 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.65 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.79 eq ssh
access-list perimeter extended permit tcp any host 208.48.17.85 eq ssh
access-list perimeter extended permit tcp any host 208.50.123.4 eq ssh
access-list perimeter extended permit tcp any host 208.50.123.5 eq ssh
access-list perimeter extended permit tcp host 17.254.0.68 any object-group radar-mac-client
access-list perimeter extended permit tcp object-group premier-208.48.17.149 host 208.48.17.149 object-group premier-208.48.17.149-tcp
access-list perimeter extended permit udp object-group premier-208.48.17.149 host 208.48.17.149 object-group premier-208.48.17.149-udp
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-imap
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-pop3
access-list perimeter extended permit udp any host 208.48.17.88 object-group ssl-pop3
access-list perimeter extended permit tcp any host 208.48.17.88 object-group ssl-smtp
access-list perimeter extended permit udp any host 208.48.17.88 object-group ssl-smtp
access-list perimeter extended permit tcp any host 208.48.17.176 object-group tcp1604
access-list perimeter extended permit tcp any host 208.48.17.155 object-group tcp19813-14566
access-list perimeter extended permit tcp any host 208.48.17.194 object-group tcp2930
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3000
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3001
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3003
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp3005
access-list perimeter extended permit tcp any host 208.48.17.175 object-group tcp3101
access-list perimeter extended permit tcp any host 208.48.17.52 object-group tcp3202
access-list perimeter extended permit tcp any host 208.48.17.183 object-group tcp3268
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp4000
access-list perimeter extended permit tcp any host 208.48.17.89 object-group tcp4489
access-list perimeter extended permit udp any host 208.48.17.89 object-group tcp4489
access-list perimeter extended permit tcp any host 208.48.17.232 object-group tcp4899
access-list perimeter extended permit tcp any host 208.48.17.160 object-group tcp5003
access-list perimeter extended permit tcp any host 208.48.17.45 object-group tcp5003
access-list perimeter extended permit udp any host 208.48.17.160 object-group tcp5003
access-list perimeter extended permit udp any host 208.48.17.45 object-group tcp5003
access-list perimeter extended permit tcp any host 208.48.17.141 object-group tcp5993
access-list perimeter extended permit tcp any host 208.48.17.169 object-group tcp85
access-list perimeter extended permit tcp any host 208.48.17.186 object-group tcp8800
access-list perimeter extended permit tcp any host 208.48.17.79 object-group tcp9000
access-list perimeter extended permit tcp any host 208.48.17.82 object-group tcp9010
access-list perimeter extended permit tcp any host 208.48.17.86 object-group tcp9010
access-list perimeter extended permit tcp any host 146.82.131.199 object-group tcp989
access-list perimeter extended permit tcp any host 208.48.17.151 object-group tcp-range-9000-9020
access-list perimeter extended permit tcp any host 208.48.17.15 object-group tcp-udp1780-1785
access-list perimeter extended permit tcp any host 208.48.17.132 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.144 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.148 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.157 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.232 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.60 object-group tcp-udp-1863
access-list perimeter extended permit tcp any host 208.48.17.88 object-group tcp-udp-587
access-list perimeter extended permit udp any host 208.48.17.15 object-group tcp-udp1780-1785
access-list perimeter extended permit udp any host 208.48.17.132 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.144 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.148 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.157 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.232 object-group tcp-udp-1863
access-list perimeter extended permit tcp any any object-group icverify
access-list perimeter extended permit udp any host 208.48.17.60 object-group tcp-udp-1863
access-list perimeter extended permit udp any host 208.48.17.88 object-group tcp-udp-587
access-list perimeter extended permit tcp any host 208.50.123.231 eq telnet
access-list perimeter extended permit tcp any host 208.48.17.118 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.120 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.121 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.18 object-group timbuktu
access-list perimeter extended permit tcp any host 208.48.17.216 object-group timbuktu
access-list perimeter extended permit udp any host 208.48.17.118 object-group timbuktu-udp
access-list perimeter extended permit udp any host 208.48.17.120 object-group timbuktu-udp


Inside Interface Access- list:

access-list dmz-1 extended permit ip any any



0
 
Jan SpringerCommented:
What is in this object group?:

access-list perimeter extended permit tcp any object-group ftp_access_in range ftp ftp-data
0
 
cgxitAuthor Commented:
Some of our FTP servers , which list in this object group
0
 
Jan SpringerCommented:
Is the server that the customer can't connect to listed in this object group?
0
 
cgxitAuthor Commented:
No , problem is our inside user not able to connect outside FTP server.. not all but some of and when i connect this same FTP server without firewall it's work good...
0
 
Jan SpringerCommented:
I wonder if this is an active ftp session.

I dont see a line in your perimeter access list showing this IP.  Try adding:

access-list perimeter extended permit tcp host 64.221.8.20 eq 20 any log
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now