JTechnical
asked on
Cisco ASA 5505 - Doesnt allow FTP Coversation "List" Command Blocked
Hi,
We have a Cisco ASA 5505 running on our network, internally we have an FTP server which listens on port 21, as well as this it has been configured to use PASV on 28000 28500.
When a user connects they are able to authenticate etc etc however when they come to use a command like "List" the connection drops. I believe users experiencing this problem may be behind corporate firewalls as behind a standard ADSL router, we are able to access the FTP just fine.
I'd appreciate any suggestions.
Its 219.154.183.109 (Ext) or 10.100.25.190 (int) that is the FTP in question.
Ive attached PASV & non PASV connection logs & the ASA conf (part) (pub ips have been changed)
We have a Cisco ASA 5505 running on our network, internally we have an FTP server which listens on port 21, as well as this it has been configured to use PASV on 28000 28500.
When a user connects they are able to authenticate etc etc however when they come to use a command like "List" the connection drops. I believe users experiencing this problem may be behind corporate firewalls as behind a standard ADSL router, we are able to access the FTP just fine.
I'd appreciate any suggestions.
Its 219.154.183.109 (Ext) or 10.100.25.190 (int) that is the FTP in question.
Ive attached PASV & non PASV connection logs & the ASA conf (part) (pub ips have been changed)
Status: Connecting to ftp.previewservices.com ...
Status: Connected with seproxy3.hm.com. Waiting for welcome message...
Response: 220 Blue Coat FTP Service
Status: Trying to access ftp.previewservices.com through ftp proxy...
Command: USER testftp@ftp.previewservices.com hm\adcle
Response: 331 Enter password.
Command: PASS **********
Response: 332 Enter proxy password.
Command: PASS **********
Response: 230 Login OK. Proceed.
Command: FEAT
Response: 211-Extensions supported:
Response: MDTM
Response: SIZE
Response: 211 END
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/Usr/testftp" is current folder.
Command: PASV
Response: 227 Entering Passive Mode (10,66,250,8,210,123)
Command: TYPE A
Response: 200 Command okay.
Command: LIST
Response: 421 Service not available, closing control connection.
Error: Disconnected from server
Error: Could not retrieve directory listing
Error: Timeout detected!
Status: Connecting to ftp.previewservices.com ....
Status: Connected with seproxy3.hm.com. Waiting for welcome message...
Response: 220 Blue Coat FTP Service
Status: Trying to access ftp.previewservices.com through ftp proxy...
Command: USER testftp@ftp.previewservices.com hm\adcle
Response: 331 Enter password.
Command: PASS **********
Response: 332 Enter proxy password.
Command: PASS **********
Response: 230 Login OK. Proceed.
Command: FEAT
Response: 211-Extensions supported:
Response: MDTM
Response: SIZE
Response: 211 END
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/Usr/testftp" is current folder.
Command: PORT 10,15,3,149,7,114
Response: 200 PORT command successful.
Command: TYPE A
Response: 200 Command okay.
Command: LIST
Response: 421 Service not available, closing control connection.
Error: Disconnected from server
Error: Could not retrieve directory listing
Error: Timeout detected!
: Saved
:
ASA Version 7.2(4)
!
hostname
domain-name lan
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.25.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ------------- 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name lan
same-security-traffic permit intra-interface
object-group service SFTP tcp
description SFTP Ports
port-object range 28000 30000
port-object eq 990
port-object eq https
port-object eq ssh
object-group service FTP tcp
description FTP Ports
port-object eq ftp
port-object eq ftp-data
object-group service Netmeeting_TCP tcp
description Netmeeting TCP Ports
port-object eq 1503
port-object eq 1731
port-object eq 522
port-object eq h323
port-object eq ldap
object-group service Netmeeting_UDP udp
description Netmeeting UDP Ports
port-object range 1024 65535
access-list outside_access_in remark Allow ICMP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow FTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.105 eq ftp
access-list outside_access_in remark Allow FTP-Data Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.105 eq ftp-data
access-list outside_access_in remark Allow HTTPS Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.102 eq https
access-list outside_access_in remark Allow PPTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.101 eq pptp
access-list outside_access_in remark Allow PPTP Inbound
access-list outside_access_in extended permit gre any host 219.154.183.101
access-list outside_access_in remark Allow HTTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.106 eq www
access-list outside_access_in remark Allow FTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.107 eq ftp
access-list outside_access_in remark Allow FTP-DATA Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.107 eq ftp-data
access-list outside_access_in remark Allow 38911 Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.108 eq 38911
access-list outside_access_in remark Allow SFTP Group Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.109 object-group SFTP
access-list outside_access_in remark Allow FTP Group Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.109 eq ftp
access-list outside_access_in remark Allow 1001 Inbound (Net Camera)
access-list outside_access_in extended permit tcp any host 219.154.183.110 eq 1001
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit udp host 203.153.7.18 host 219.154.183.103 object-group Netmeeting_UDP
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit tcp host 203.153.7.18 host 219.154.183.103 object-group Netmeeting_TCP
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit udp host 203.153.7.18 host 219.154.183.104 object-group Netmeeting_UDP
access-list outside_access_in remark Allow NETMEETING Inbound
access-list outside_access_in extended permit tcp host 203.153.7.18 host 219.154.183.104 object-group Netmeeting_TCP
access-list outside_access_in remark Allow HTTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq www
access-list outside_access_in remark Allow HTTPS Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq https
access-list outside_access_in remark Allow IMAP4 Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq imap4
access-list outside_access_in remark Allow IMAPS Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq 993
access-list outside_access_in remark Allow SMTP Inbound
access-list outside_access_in extended permit tcp any host 219.154.183.111 eq smtp
access-list outside_access_in extended permit tcp any host 219.154.183.109 eq ftp-data
access-list outside_access_in extended permit tcp any host 10.100.25.190
access-list outside_1_cryptomap extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.115
access-list outside_1_cryptomap extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.129
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.129
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 host 192.168.233.115
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 172.27.34.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 10.100.27.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 192.168.248.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.25.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.100.25.0 255.255.255.0 172.27.34.0 255.255.255.0
access-list XXXVPN_splitTunnelAcl standard permit 10.100.25.0 255.255.255.0
access-list XXXVPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip host 10.66.20.10 host 10.66.0.130
access-list outside_4_cryptomap extended permit ip 10.100.25.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.100.25.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.100.27.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 10.100.27.1-10.100.27.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 219.154.183.101 10.100.25.23 netmask 255.255.255.255
static (inside,outside) 219.154.183.105 10.100.25.33 netmask 255.255.255.255
static (inside,outside) 219.154.183.102 10.100.25.13 netmask 255.255.255.255
static (inside,outside) 219.154.183.106 10.100.25.44 netmask 255.255.255.255
static (inside,outside) 219.154.183.107 10.100.25.34 netmask 255.255.255.255
static (inside,outside) 219.154.183.113 10.100.25.169 netmask 255.255.255.255
static (inside,outside) 219.154.183.108 10.100.25.56 netmask 255.255.255.255
static (inside,outside) 219.154.183.109 10.100.25.190 netmask 255.255.255.255
static (inside,outside) 219.154.183.110 10.100.25.67 netmask 255.255.255.255
static (inside,outside) 219.154.183.103 10.100.25.158 netmask 255.255.255.255
static (inside,outside) 219.154.183.104 10.100.25.149 netmask 255.255.255.255
static (inside,outside) 219.154.183.111 10.100.25.70 netmask 255.255.255.255
static (inside,outside) 10.66.20.10 10.100.25.12 netmask 255.255.255.255
Ernie Beek
I see ftp mode is set to passive. Is that correct?
ASKER
Passive is turned on, on the FTP server, there are logs from the client with both PASV on and off.
I can't see it here but is the ftp inspect rule in place?
ASKER
Ernie,
Im not sure what that is, what would i need to add that?
Im not sure what that is, what would i need to add that?
you should have something like thist in your config:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
ASKER
There's no mention of "Inspect" in the whole config.. shall i add those in?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im pleased to say this has fixed the issue, would you be able to briefly explain what these few lines would have done? As i dont fully understand what has been done here. Thank you
Of the top of my head and to put it short:
Inspection rules enable the inspection engines on the asa. These check the enables protocols for RFC conformity. So in the case of FTP: if disabled when using passive FTP, the cisco blocks the additional ports you defined for the ftp data connection because they are initiated from the client. When enabled, the ASA 'knows' that the CLIENT will setup the data connection on another port, conform the RFC.
Inspection rules enable the inspection engines on the asa. These check the enables protocols for RFC conformity. So in the case of FTP: if disabled when using passive FTP, the cisco blocks the additional ports you defined for the ftp data connection because they are initiated from the client. When enabled, the ASA 'knows' that the CLIENT will setup the data connection on another port, conform the RFC.