Solved

Cisco ASA 5505 - Doesnt allow FTP Coversation "List" Command Blocked

Posted on 2010-11-16
10
2,095 Views
Last Modified: 2012-05-10
Hi,

We have a Cisco ASA 5505 running on our network, internally we have an FTP server which listens on port 21, as well as this it has been configured to use PASV on 28000 28500.

When a user connects they are able to authenticate etc etc however when they come to use a command like "List" the connection drops. I believe users experiencing this problem may be behind corporate firewalls as behind a standard ADSL router, we are able to access the FTP just fine.

I'd appreciate any suggestions.

Its 219.154.183.109 (Ext) or 10.100.25.190 (int) that is the FTP in question.

Ive attached PASV & non PASV connection logs & the ASA conf (part) (pub ips have been changed)

Status: Connecting to ftp.previewservices.com ...
Status: Connected with seproxy3.hm.com. Waiting for welcome message...
Response: 220 Blue Coat FTP Service
Status: Trying to access ftp.previewservices.com through ftp proxy...
Command: USER testftp@ftp.previewservices.com hm\adcle
Response: 331 Enter password.
Command: PASS **********
Response: 332 Enter proxy password.
Command: PASS **********
Response: 230 Login OK. Proceed.
Command: FEAT
Response: 211-Extensions supported:
Response: MDTM
Response: SIZE
Response: 211 END
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/Usr/testftp" is current folder.
Command: PASV
Response: 227 Entering Passive Mode (10,66,250,8,210,123)
Command: TYPE A
Response: 200 Command okay.
Command: LIST
Response: 421 Service not available, closing control connection.
Error: Disconnected from server
Error: Could not retrieve directory listing
                                Error: Timeout detected!

Open in new window

Status: Connecting to ftp.previewservices.com ....
Status: Connected with seproxy3.hm.com. Waiting for welcome message...
Response: 220 Blue Coat FTP Service
Status: Trying to access ftp.previewservices.com through ftp proxy...
Command: USER testftp@ftp.previewservices.com hm\adcle
Response: 331 Enter password.
Command: PASS **********
Response: 332 Enter proxy password.
Command: PASS **********
Response: 230 Login OK. Proceed.
Command: FEAT
Response: 211-Extensions supported:
Response: MDTM
Response: SIZE
Response: 211 END
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/Usr/testftp" is current folder.
Command: PORT 10,15,3,149,7,114
Response: 200 PORT command successful.
Command: TYPE A
Response: 200 Command okay.
Command: LIST
Response: 421 Service not available, closing control connection.
Error: Disconnected from server
Error: Could not retrieve directory listing
                                        Error: Timeout detected!

Open in new window

: Saved
:
ASA Version 7.2(4) 
!
hostname 
domain-name lan
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.100.25.252 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ------------- 255.255.255.224 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name lan
same-security-traffic permit intra-interface
object-group service SFTP tcp
 description SFTP Ports
 port-object range 28000 30000
 port-object eq 990
 port-object eq https
 port-object eq ssh
object-group service FTP tcp
 description FTP Ports
 port-object eq ftp
 port-object eq ftp-data
object-group service Netmeeting_TCP tcp
 description Netmeeting TCP Ports
 port-object eq 1503
 port-object eq 1731
 port-object eq 522
 port-object eq h323
 port-object eq ldap
object-group service Netmeeting_UDP udp
 description Netmeeting UDP Ports
 port-object range 1024 65535
access-list outside_access_in remark Allow ICMP
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Allow FTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.105 eq ftp 
access-list outside_access_in remark Allow FTP-Data Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.105 eq ftp-data 
access-list outside_access_in remark Allow HTTPS Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.102 eq https 
access-list outside_access_in remark Allow PPTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.101 eq pptp 
access-list outside_access_in remark Allow PPTP Inbound
access-list outside_access_in extended permit gre any host 219.154.183.101 
access-list outside_access_in remark Allow HTTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.106 eq www 
access-list outside_access_in remark Allow FTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.107 eq ftp 
access-list outside_access_in remark Allow FTP-DATA Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.107 eq ftp-data 
access-list outside_access_in remark Allow 38911 Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.108 eq 38911 
access-list outside_access_in remark Allow SFTP Group Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.109 object-group SFTP 
access-list outside_access_in remark Allow FTP Group Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.109 eq ftp 
access-list outside_access_in remark Allow 1001 Inbound (Net Camera)
access-list outside_access_in extended permit tcp any host 219.154.183.110 eq 1001 
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit udp host 203.153.7.18 host 219.154.183.103 object-group Netmeeting_UDP 
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit tcp host 203.153.7.18 host 219.154.183.103 object-group Netmeeting_TCP 
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit udp host 203.153.7.18 host 219.154.183.104 object-group Netmeeting_UDP 
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit tcp host 203.153.7.18 host 219.154.183.104 object-group Netmeeting_TCP 
access-list outside_access_in remark Allow HTTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq www 
access-list outside_access_in remark Allow HTTPS Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq https 
access-list outside_access_in remark Allow IMAP4 Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq imap4 
access-list outside_access_in remark Allow IMAPS Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq 993 
access-list outside_access_in remark Allow SMTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq smtp 
access-list outside_access_in extended permit tcp any host 219.154.183.109 eq ftp-data 
access-list outside_access_in extended permit tcp any host 10.100.25.190 
access-list outside_1_cryptomap extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.115 
access-list outside_1_cryptomap extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.129 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.129 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.115 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 172.27.34.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 10.100.27.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 192.168.248.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 192.168.51.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 10.100.25.0 255.255.255.0 172.27.34.0 255.255.255.0 
access-list XXXVPN_splitTunnelAcl standard permit 10.100.25.0 255.255.255.0 
access-list XXXVPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0 
access-list outside_3_cryptomap extended permit ip host 10.66.20.10 host 10.66.0.130 
access-list outside_4_cryptomap extended permit ip 10.100.25.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list outside_4_cryptomap extended permit ip 10.100.25.0 255.255.255.0 192.168.51.0 255.255.255.0 
access-list outside_4_cryptomap extended permit ip 10.100.27.0 255.255.255.0 192.168.50.0 255.255.255.0 
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 10.100.27.1-10.100.27.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 219.154.183.101 10.100.25.23 netmask 255.255.255.255 
static (inside,outside) 219.154.183.105 10.100.25.33 netmask 255.255.255.255 
static (inside,outside) 219.154.183.102 10.100.25.13 netmask 255.255.255.255 
static (inside,outside) 219.154.183.106 10.100.25.44 netmask 255.255.255.255 
static (inside,outside) 219.154.183.107 10.100.25.34 netmask 255.255.255.255 
static (inside,outside) 219.154.183.113 10.100.25.169 netmask 255.255.255.255 
static (inside,outside) 219.154.183.108 10.100.25.56 netmask 255.255.255.255 
static (inside,outside) 219.154.183.109 10.100.25.190 netmask 255.255.255.255 
static (inside,outside) 219.154.183.110 10.100.25.67 netmask 255.255.255.255 
static (inside,outside) 219.154.183.103 10.100.25.158 netmask 255.255.255.255 
static (inside,outside) 219.154.183.104 10.100.25.149 netmask 255.255.255.255 
static (inside,outside) 219.154.183.111 10.100.25.70 netmask 255.255.255.255 
static (inside,outside) 10.66.20.10 10.100.25.12 netmask 255.255.255.255

Open in new window

0
Comment
Question by:JTechnical
  • 6
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143862
I see ftp mode is set to passive. Is that correct?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143868
0
 

Author Comment

by:JTechnical
ID: 34143875
Passive is turned on, on the FTP server, there are logs from the client with both PASV on and off.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143942
I can't see it here but is the ftp inspect rule in place?
0
 

Author Comment

by:JTechnical
ID: 34143952
Ernie,

Im not sure what that is, what would i need to add that?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143974
you should have something like thist in your config:  

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
0
 

Author Comment

by:JTechnical
ID: 34144040
There's no mention of "Inspect" in the whole config.. shall i add those in?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34144166
Let's do that.

The default policy configuration includes these commands:

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
0
 

Author Comment

by:JTechnical
ID: 34146691
Im pleased to say this has fixed the issue, would you be able to briefly explain what these few lines would have done? As i dont fully understand what has been done here. Thank you
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34146855
Of the top of my head and to put it short:

Inspection rules enable the inspection engines on the asa. These check the enables protocols for RFC conformity. So in the case of FTP: if disabled when using passive FTP, the cisco blocks the additional ports you defined for the ftp data connection because they are initiated from the client. When enabled, the ASA 'knows' that the CLIENT will setup the data connection on another port, conform the RFC.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco MAC address finding 5 49
Eigrp Router 5 47
Command "logging persistent size .... " 6 25
how to access my server 9 28
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now