• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1233
  • Last Modified:

cisco ASA 5505 - Pasive FTP

Hello

I can not make FTP or passive FTP to work on my cisco ASA 5505

Here is the config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 193.242.107.242 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.239.134.83
 name-server 193.162.153.164
 domain-name default.domain.invalid
dns server-group OPENDNS
 name-server 208.67.222.222
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 800
access-list outside_access_in extended permit tcp any interface outside eq 366
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 5500
access-list outside_access_in extended permit tcp any interface outside eq 1200
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 800 192.168.1.100 800 netmask 255.255.255.255
static (inside,outside) tcp interface 366 192.168.1.100 366 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.100 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 192.168.1.100 1200 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 4282 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.100 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.242.107.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:8ef61b3523fae6ecaa5210e245119a87
: end
0
radut
Asked:
radut
  • 17
  • 11
  • 10
  • +1
1 Solution
 
Istvan KalmarCommented:
whare do you want to built ftp connection?
0
 
Vito_CorleoneCommented:
This is a basic inspect list, most of it is the default. I would suggest using the "reload in 5" command before executing it as it might cause problems:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global

It should inspect FTP and allow for passive.
0
 
radutAuthor Commented:
Can you guide me step by step ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Istvan KalmarCommented:
conf t

and   inspect ftp allow for passive ftp connection
0
 
radutAuthor Commented:
conf t works

"inspect ftp allow for passive ftp connection" Not

inspect ftp allow for passive ftp connection
  ^
ERROR: % Invalid input detected at '^' marker.
0
 
Vito_CorleoneCommented:
reload in 5 [confirm]
conf t

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
0
 
Istvan KalmarCommented:
conf t
lass-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
0
 
Istvan KalmarCommented:
conf t
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
0
 
radutAuthor Commented:
i dont get it...

Shall i send all the lines ?

conf t
lass-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
0
 
Istvan KalmarCommented:
yes
0
 
radutAuthor Commented:
I get an error

Result of the command: "conf t"

The command has been sent to the device



Result of the command: "lass-map inspection_default"

lass-map inspection_default
 ^
ERROR: % Invalid input detected at '^' marker.
0
 
Istvan KalmarCommented:
ok

could you show us the whole screen output to help you???

0
 
Istvan KalmarCommented:
ena

conf t
 

then showing :

asa#

Am I right?
0
 
radutAuthor Commented:
The whole screen is


Result of the command: "conf t"

The command has been sent to the device



Result of the command: "lass-map inspection_default"

lass-map inspection_default
 ^
ERROR: % Invalid input detected at '^' marker.



After i write in command line interface

conf t (enter)
lass-map inspection_default (enter)
0
 
Vito_CorleoneCommented:
You missed the c on class map. Paste it again, but make sure you get it all.
0
 
radutAuthor Commented:
i am in the command line interface from the Application
0
 
radutAuthor Commented:
You are right

Now i get another error



Result of the command: "class-map inspection_default"

The command has been sent to the device



Result of the command: "match default-inspection-traffic"

match default-inspection-traffic
  ^
ERROR: % Invalid input detected at '^' marker.
0
 
Vito_CorleoneCommented:
There's no C on class map in what you pasted:

Result of the command: "lass-map inspection_default"

lass-map inspection_default
0
 
Istvan KalmarCommented:
please put the commands......
0
 
Istvan KalmarCommented:
here is the right code
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global

Open in new window

0
 
Vito_CorleoneCommented:
Can you get access to the CLI instead of ASDM?
0
 
radutAuthor Commented:
Line 2 gives error

Result of the command: "match default-inspection-traffic"

match default-inspection-traffic
  ^
ERROR: % Invalid input detected at '^' marker.

0
 
radutAuthor Commented:
i do not know how get access to the CLI instead of ASDM?
0
 
Vito_CorleoneCommented:
You need to SSH to the device. You can use PuTTY or other free clients. Here's a guide:

http://www.electrictoolbox.com/article/applications/ssh-putty/
0
 
Istvan KalmarCommented:
could you show us the whole screen output to help you???
0
 
radutAuthor Commented:
i will not connect

I config by ip, port 22, ssh to 1.

The promt comes but nothing happents
0
 
Vito_CorleoneCommented:
0
 
radutAuthor Commented:
And i can not write in the promt
0
 
Vito_CorleoneCommented:
Paste the prompt in here. You probably need to create a username, but I don't know how you're getting in with ASDM without one.
0
 
radutAuthor Commented:
No working.

Is the no other way to make Passive FTP to work ?
0
 
Vito_CorleoneCommented:
You need to get that config in there. If you can't do it from ASDM and you can't login via SSH, I don't know how we can help.
0
 
radutAuthor Commented:
When i connet with ssh i get this error, "Server unexpectedly closed network connection"
0
 
Vito_CorleoneCommented:
Add the command:

ssh 0.0.0.0 0.0.0.0 outside

0
 
radutAuthor Commented:
same error :(
0
 
radutAuthor Commented:
I made it work in asdm

Here is the output from the screen..

Result of the command: "class-map inspection_default"

The command has been sent to the device


Result of the command: "match default-inspection-traffic"

The command has been sent to the device


Result of the command: "!"

The command has been sent to the device


Result of the command: "!"

The command has been sent to the device


Result of the command: "policy-map type inspect dns preset_dns_map"

The command has been sent to the device


Result of the command: "parameters"

The command has been sent to the device


Result of the command: "message-length maximum 512"

The command has been sent to the device


Result of the command: "policy-map global_policy"

The command has been sent to the device


Result of the command: "class inspection_default"

The command has been sent to the device


Result of the command: "inspect dns preset_dns_map"

The command has been sent to the device


Result of the command: "inspect ftp"

The command has been sent to the device


Result of the command: "inspect rtsp"

The command has been sent to the device


Result of the command: "inspect esmtp"

The command has been sent to the device


Result of the command: "inspect sqlnet"

The command has been sent to the device


Result of the command: "inspect skinny"

The command has been sent to the device


Result of the command: "inspect sunrpc"

The command has been sent to the device


Result of the command: "inspect sip"

The command has been sent to the device


Result of the command: "inspect netbios"

The command has been sent to the device


Result of the command: "inspect tftp"

The command has been sent to the device


Result of the command: "!"

The command has been sent to the device


Result of the command: "service-policy global_policy global"

The command has been sent to the device


What more . ?!?

0
 
radutAuthor Commented:
Now i will got the save it .. how do i do that ?

0
 
Vito_CorleoneCommented:
"write mem" will save it
0
 
Boilermaker85Commented:
From the ADSM, you can click on the Save button in the menu bar. Your problem earlier using the command line from within ADSM is that you needed to paste the whole thing in as a multiple line command, rather than a single line command. Your SSH is not working most likely because you have not set an SSH fingerprint. From the ASDM, select the Tools/command line interface and enter these single line commands:
crypto key generate rsa mod 2048
Write mem
Now you should be able to make an SSH2 connection from Putty.
0
 
radutAuthor Commented:
Tanks !
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 17
  • 11
  • 10
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now