Solved

I can't connect to ftp sites through the cisco asa 5510 firewall

Posted on 2008-10-15
4
889 Views
Last Modified: 2013-11-08
I am having problems connecting to ftp sites going through the cisco asa 5510.  I have all outbound traffic opened but it can't reach the site.  The problem is with ftp sites but for example the site I need to access now is: ftp://ftp.securityinnovation.com/.  It should ask me for a user id and password but it doesn't   I tested this from another location and it works.  I have a NAT translation setup for my machine to an external address (because all internal addresses are setup with NAT to a DMZ zone), I can ping the ftp site but ftp can't connect, not through telnet, IE.  I do a trace packet from the asa but it fails saying the access list is not allowing it eventhough I have a rule to allow outgoing and incoming IP connections to that site.

Any ideas what the problem can be?
0
Comment
Question by:Ivan_Andrade
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
stsonline earned 500 total points
ID: 22724932
If your firewall is configured to perform a hide (or dynamic) NAT, you shouldn't need to assign yourself another NAT, but it won't hurt if you did. Assuming you're going from a higher security level interface to a lower level one, and assuming you don't have a 'deny any any' entry, it should work. Would you post a sanitized version of your FW config, please?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 22725405
check to see that you dont need to inspect ftp traffic.

the quickest way to add it from config t is to type "fixup ftp"

hope this helps,

-t
0
 

Author Comment

by:Ivan_Andrade
ID: 22732887
Hi it is going from a higher level to a lower level as I can access all sites exept ftp.

The configuration is huge and I want to put here the infomration but what sections would you need from it.  I am not too comfortable pasting al lthe configuration here but i can do certain sections if you want, which parts would it work for you?
One more thing when I do a ping to the site for instance I always can see the packets when I do the debug however when I go to it using ftp, I see no traffic passing through the firewall.  With Internet explorer it just hangs.  With Firefox, it gets to teh site but I am never prompted for a user id and password.  The issue seems that I never get prompted for authentication but no errors in the debug.

Regarding fixup ftp, I tried running that command but it didn't do anything.
asaconfig.doc
0
 

Author Closing Comment

by:Ivan_Andrade
ID: 31506394
I am closing the account.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now