Solved

FTP connection drops when using an FTP client

Posted on 2009-04-14
1
298 Views
Last Modified: 2013-12-09
Hi,
Using IIS as FTP server.  Sitting behind an ASA 5510. From the inside, all FTP functioanlity works fine.  From the outside: Can connect to FTP using low level client like windows command prompt.  Am able to put files and retrieve dirctory listing.  However when I use an FTP client, the client is not able to retrive directory listing and gets disconnected from the server.  On the ASA, both incoming FTP and FTP data is allowed.  I'm not a networking person so please reply in newbie language.  Below is the running config
ASA Version 7.2(2) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password e/B.SxSFWffDPrii encrypted

names

name 192.168.x.x Server4

!

interface Ethernet0/0

 nameif Inside

 security-level 100

 ip address 192.168.x.x 255.255.255.0 

!

interface Ethernet0/1

 nameif Outside

 security-level 0

 ip address x.x.x.x  255.255.255.x

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.x.x 255.255.255.0 

 management-only

!

passwd e/B.SxSFWffDPrii encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list Outside_access_in extended permit tcp any interface Outside eq www 

access-list Outside_access_in extended permit tcp any interface Outside eq 8000 

access-list Outside_access_in extended permit icmp any any 

access-list Outside_access_in extended permit tcp any interface Outside eq ssh 

access-list Outside_access_in extended permit tcp any interface Outside eq smtp 

access-list Outside_access_in extended permit tcp any interface Outside eq https 

access-list Outside_access_in extended permit tcp any interface Outside eq ftp-data 

access-list Outside_access_in extended permit tcp any interface Outside eq ftp 

access-list rauantiques_splitTunnelAcl standard permit 192.168.x.x 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip any 192.168.x.x 255.255.255.0 

pager lines 24

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging mail debugging

logging from-address xx@xx.com

logging recipient-address xx@xx.com level errors

logging queue 2048

logging host Inside 192.168.x.x

logging debug-trace

mtu Inside 1500

mtu Outside 1500

mtu management 1500

ip local pool VPN 192.168.x.1-192.168.x.254 mask 255.255.255.0

ip verify reverse-path interface Outside

ip audit name Attack_Policy attack action drop

ip audit name Information_Policy info action drop

ip audit interface Inside Information_Policy

ip audit interface Inside Attack_Policy

ip audit interface Outside Information_Policy

ip audit interface Outside Attack_Policy

ip audit signature 2000 disable

ip audit signature 2004 disable

no failover

monitor-interface Inside

monitor-interface Outside

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

icmp permit any Outside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (Outside) x. x.x.x.0 255.255.255.0

static (Inside,Outside) tcp interface www x. x.x.xwww netmask 255.255.255.255 

static (Inside,Outside) tcp interface smtp x. x.x.x smtp netmask 255.255.255.255 

static (Inside,Outside) tcp interface 8000 x. x.x.x 8000 netmask 255.255.255.255 

static (Inside,Outside) tcp interface ssh x. x.x.x ssh netmask 255.255.255.255 

static (Inside,Outside) tcp interface https x. x.x.xhttps netmask 255.255.255.255 

static (Inside,Outside) tcp interface ftp x. x.x.x ftp netmask 255.255.255.255 

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 x. x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy rauantiques internal

group-policy rauantiques attributes

 wins-server value x. x.x.x

 dns-server value x. x.x.x

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value rauantiques_splitTunnelAcl

username user password fYlEpAtWJnS1QAz/ encrypted privilege 0

username user  password xbf0eci.L9L5uglP encrypted privilege 0

username user  password 05VeMFV0C.UNGVeb encrypted

username user  password eOpQITbgG0Yjb6SC encrypted

username user attributes

 vpn-group-policy group-name

username user  password QtMyOpE2oRyOBvpI encrypted

username user  password vlwYDlXXO13xuIYF encrypted

username user attributes

 password-storage enable

username user  password FuTVOkGzaQ0JNEHV encrypted

username user  password RXO/YnVONLEB.0f8 encrypted

username user  attributes

 password-storage enable

username user  password BS8Oyvw5wXIhSD87 encrypted privilege 0

username user  password 5AyCetolX9uV7Hbv encrypted

username user password b7oVpmDQHhLJZ46Y encrypted

username user password nY9fTifcyiIUjOVr encrypted

username user attributes

 password-storage enable

username user  password .htTxxdaIki.nd/U encrypted privilege 0

username user  password TC8ZGXszokzQG36Y encrypted

username user attributes

 vpn-group-policy group-name

username user password J9kEVfBS29so3IkM encrypted privilege 0

username user  password mA17QA7WOZkYNtre encrypted privilege 0

username user password BfV28gmkHUipz7db encrypted

username user  password At66XGsJDLX8dgJh encrypted

username user attributes

 password-storage enable

username user  password RujCWulEC1Qps.iK encrypted privilege 0

username user  attributes

 vpn-group-policy group-name

username user password y6f0V8tl0Nweem0I encrypted

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set pfs 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

tunnel-group rauantiques type ipsec-ra

tunnel-group rauantiques general-attributes

 address-pool VPN

 default-group-policy rauantiques

tunnel-group group-name ipsec-attributes

 pre-shared-key *

telnet 0.0.0.0 0.0.0.0 Inside

telnet timeout 1440

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map global-class

 match port tcp eq www

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global-policy

 class global-class

  csc fail-open

!

service-policy global-policy global

prompt hostname context 

Cryptochecksum:0ec057a1728ee039ca14710681336505

: end

Open in new window

0
Comment
Question by:nkuo
1 Comment
 

Accepted Solution

by:
nkuo earned 0 total points
ID: 24140279
Hi, was able to resolve this.  had to issue a fixup protocal command.  
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now