Solved

FTP connection drops when using an FTP client

Posted on 2009-04-14
1
299 Views
Last Modified: 2013-12-09
Hi,
Using IIS as FTP server.  Sitting behind an ASA 5510. From the inside, all FTP functioanlity works fine.  From the outside: Can connect to FTP using low level client like windows command prompt.  Am able to put files and retrieve dirctory listing.  However when I use an FTP client, the client is not able to retrive directory listing and gets disconnected from the server.  On the ASA, both incoming FTP and FTP data is allowed.  I'm not a networking person so please reply in newbie language.  Below is the running config
ASA Version 7.2(2) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password e/B.SxSFWffDPrii encrypted

names

name 192.168.x.x Server4

!

interface Ethernet0/0

 nameif Inside

 security-level 100

 ip address 192.168.x.x 255.255.255.0 

!

interface Ethernet0/1

 nameif Outside

 security-level 0

 ip address x.x.x.x  255.255.255.x

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.x.x 255.255.255.0 

 management-only

!

passwd e/B.SxSFWffDPrii encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list Outside_access_in extended permit tcp any interface Outside eq www 

access-list Outside_access_in extended permit tcp any interface Outside eq 8000 

access-list Outside_access_in extended permit icmp any any 

access-list Outside_access_in extended permit tcp any interface Outside eq ssh 

access-list Outside_access_in extended permit tcp any interface Outside eq smtp 

access-list Outside_access_in extended permit tcp any interface Outside eq https 

access-list Outside_access_in extended permit tcp any interface Outside eq ftp-data 

access-list Outside_access_in extended permit tcp any interface Outside eq ftp 

access-list rauantiques_splitTunnelAcl standard permit 192.168.x.x 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip any 192.168.x.x 255.255.255.0 

pager lines 24

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging mail debugging

logging from-address xx@xx.com

logging recipient-address xx@xx.com level errors

logging queue 2048

logging host Inside 192.168.x.x

logging debug-trace

mtu Inside 1500

mtu Outside 1500

mtu management 1500

ip local pool VPN 192.168.x.1-192.168.x.254 mask 255.255.255.0

ip verify reverse-path interface Outside

ip audit name Attack_Policy attack action drop

ip audit name Information_Policy info action drop

ip audit interface Inside Information_Policy

ip audit interface Inside Attack_Policy

ip audit interface Outside Information_Policy

ip audit interface Outside Attack_Policy

ip audit signature 2000 disable

ip audit signature 2004 disable

no failover

monitor-interface Inside

monitor-interface Outside

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

icmp permit any Outside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (Outside) x. x.x.x.0 255.255.255.0

static (Inside,Outside) tcp interface www x. x.x.xwww netmask 255.255.255.255 

static (Inside,Outside) tcp interface smtp x. x.x.x smtp netmask 255.255.255.255 

static (Inside,Outside) tcp interface 8000 x. x.x.x 8000 netmask 255.255.255.255 

static (Inside,Outside) tcp interface ssh x. x.x.x ssh netmask 255.255.255.255 

static (Inside,Outside) tcp interface https x. x.x.xhttps netmask 255.255.255.255 

static (Inside,Outside) tcp interface ftp x. x.x.x ftp netmask 255.255.255.255 

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 x. x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy rauantiques internal

group-policy rauantiques attributes

 wins-server value x. x.x.x

 dns-server value x. x.x.x

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value rauantiques_splitTunnelAcl

username user password fYlEpAtWJnS1QAz/ encrypted privilege 0

username user  password xbf0eci.L9L5uglP encrypted privilege 0

username user  password 05VeMFV0C.UNGVeb encrypted

username user  password eOpQITbgG0Yjb6SC encrypted

username user attributes

 vpn-group-policy group-name

username user  password QtMyOpE2oRyOBvpI encrypted

username user  password vlwYDlXXO13xuIYF encrypted

username user attributes

 password-storage enable

username user  password FuTVOkGzaQ0JNEHV encrypted

username user  password RXO/YnVONLEB.0f8 encrypted

username user  attributes

 password-storage enable

username user  password BS8Oyvw5wXIhSD87 encrypted privilege 0

username user  password 5AyCetolX9uV7Hbv encrypted

username user password b7oVpmDQHhLJZ46Y encrypted

username user password nY9fTifcyiIUjOVr encrypted

username user attributes

 password-storage enable

username user  password .htTxxdaIki.nd/U encrypted privilege 0

username user  password TC8ZGXszokzQG36Y encrypted

username user attributes

 vpn-group-policy group-name

username user password J9kEVfBS29so3IkM encrypted privilege 0

username user  password mA17QA7WOZkYNtre encrypted privilege 0

username user password BfV28gmkHUipz7db encrypted

username user  password At66XGsJDLX8dgJh encrypted

username user attributes

 password-storage enable

username user  password RujCWulEC1Qps.iK encrypted privilege 0

username user  attributes

 vpn-group-policy group-name

username user password y6f0V8tl0Nweem0I encrypted

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set pfs 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

tunnel-group rauantiques type ipsec-ra

tunnel-group rauantiques general-attributes

 address-pool VPN

 default-group-policy rauantiques

tunnel-group group-name ipsec-attributes

 pre-shared-key *

telnet 0.0.0.0 0.0.0.0 Inside

telnet timeout 1440

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map global-class

 match port tcp eq www

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global-policy

 class global-class

  csc fail-open

!

service-policy global-policy global

prompt hostname context 

Cryptochecksum:0ec057a1728ee039ca14710681336505

: end

Open in new window

0
Comment
Question by:nkuo
1 Comment
 

Accepted Solution

by:
nkuo earned 0 total points
ID: 24140279
Hi, was able to resolve this.  had to issue a fixup protocal command.  
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 1830 AP behaving wierdly 7 59
CCNA Data center exam questions 8 76
fiber and Gig ports on 3650 5 39
VTP / VLANs and Sub-Interfaces 4 21
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Cloud file services can fill many different roles for your business. Often, the use of cloud file services begins with employees using consumer products, like Dropbox, to share files with customers and each other. While sync-and-share can be an effe…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now