Solved

FTP connection drops when using an FTP client

Posted on 2009-04-14
1
300 Views
Last Modified: 2013-12-09
Hi,
Using IIS as FTP server.  Sitting behind an ASA 5510. From the inside, all FTP functioanlity works fine.  From the outside: Can connect to FTP using low level client like windows command prompt.  Am able to put files and retrieve dirctory listing.  However when I use an FTP client, the client is not able to retrive directory listing and gets disconnected from the server.  On the ASA, both incoming FTP and FTP data is allowed.  I'm not a networking person so please reply in newbie language.  Below is the running config
ASA Version 7.2(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e/B.SxSFWffDPrii encrypted
names
name 192.168.x.x Server4
!
interface Ethernet0/0
 nameif Inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0 
!
interface Ethernet0/1
 nameif Outside
 security-level 0
 ip address x.x.x.x  255.255.255.x
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.x.x 255.255.255.0 
 management-only
!
passwd e/B.SxSFWffDPrii encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Outside_access_in extended permit tcp any interface Outside eq www 
access-list Outside_access_in extended permit tcp any interface Outside eq 8000 
access-list Outside_access_in extended permit icmp any any 
access-list Outside_access_in extended permit tcp any interface Outside eq ssh 
access-list Outside_access_in extended permit tcp any interface Outside eq smtp 
access-list Outside_access_in extended permit tcp any interface Outside eq https 
access-list Outside_access_in extended permit tcp any interface Outside eq ftp-data 
access-list Outside_access_in extended permit tcp any interface Outside eq ftp 
access-list rauantiques_splitTunnelAcl standard permit 192.168.x.x 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip any 192.168.x.x 255.255.255.0 
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging asdm debugging
logging mail debugging
logging from-address xx@xx.com
logging recipient-address xx@xx.com level errors
logging queue 2048
logging host Inside 192.168.x.x
logging debug-trace
mtu Inside 1500
mtu Outside 1500
mtu management 1500
ip local pool VPN 192.168.x.1-192.168.x.254 mask 255.255.255.0
ip verify reverse-path interface Outside
ip audit name Attack_Policy attack action drop
ip audit name Information_Policy info action drop
ip audit interface Inside Information_Policy
ip audit interface Inside Attack_Policy
ip audit interface Outside Information_Policy
ip audit interface Outside Attack_Policy
ip audit signature 2000 disable
ip audit signature 2004 disable
no failover
monitor-interface Inside
monitor-interface Outside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any Outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (Outside) x. x.x.x.0 255.255.255.0
static (Inside,Outside) tcp interface www x. x.x.xwww netmask 255.255.255.255 
static (Inside,Outside) tcp interface smtp x. x.x.x smtp netmask 255.255.255.255 
static (Inside,Outside) tcp interface 8000 x. x.x.x 8000 netmask 255.255.255.255 
static (Inside,Outside) tcp interface ssh x. x.x.x ssh netmask 255.255.255.255 
static (Inside,Outside) tcp interface https x. x.x.xhttps netmask 255.255.255.255 
static (Inside,Outside) tcp interface ftp x. x.x.x ftp netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 x. x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy rauantiques internal
group-policy rauantiques attributes
 wins-server value x. x.x.x
 dns-server value x. x.x.x
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value rauantiques_splitTunnelAcl
username user password fYlEpAtWJnS1QAz/ encrypted privilege 0
username user  password xbf0eci.L9L5uglP encrypted privilege 0
username user  password 05VeMFV0C.UNGVeb encrypted
username user  password eOpQITbgG0Yjb6SC encrypted
username user attributes
 vpn-group-policy group-name
username user  password QtMyOpE2oRyOBvpI encrypted
username user  password vlwYDlXXO13xuIYF encrypted
username user attributes
 password-storage enable
username user  password FuTVOkGzaQ0JNEHV encrypted
username user  password RXO/YnVONLEB.0f8 encrypted
username user  attributes
 password-storage enable
username user  password BS8Oyvw5wXIhSD87 encrypted privilege 0
username user  password 5AyCetolX9uV7Hbv encrypted
username user password b7oVpmDQHhLJZ46Y encrypted
username user password nY9fTifcyiIUjOVr encrypted
username user attributes
 password-storage enable
username user  password .htTxxdaIki.nd/U encrypted privilege 0
username user  password TC8ZGXszokzQG36Y encrypted
username user attributes
 vpn-group-policy group-name
username user password J9kEVfBS29so3IkM encrypted privilege 0
username user  password mA17QA7WOZkYNtre encrypted privilege 0
username user password BfV28gmkHUipz7db encrypted
username user  password At66XGsJDLX8dgJh encrypted
username user attributes
 password-storage enable
username user  password RujCWulEC1Qps.iK encrypted privilege 0
username user  attributes
 vpn-group-policy group-name
username user password y6f0V8tl0Nweem0I encrypted
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set pfs 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group rauantiques type ipsec-ra
tunnel-group rauantiques general-attributes
 address-pool VPN
 default-group-policy rauantiques
tunnel-group group-name ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 1440
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map global-class
 match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global-policy
 class global-class
  csc fail-open
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:0ec057a1728ee039ca14710681336505
: end

Open in new window

0
Comment
Question by:nkuo
1 Comment
 

Accepted Solution

by:
nkuo earned 0 total points
ID: 24140279
Hi, was able to resolve this.  had to issue a fixup protocal command.  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Trunk and Port Security 4 60
Some help with Network Design 4 43
Palo Alto Networks: View Tunnel packet counts? 2 27
Cisco 3800 series and WISM2 1 13
The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now