Solved

ASA 5505 FTP connexion

Posted on 2011-02-23
22
804 Views
Last Modified: 2012-10-29
Hi,

I use a asa 5505 as firewall, behind my firewall i have a FTP Serveur.
When i try to connect from outside i have some probleme to connect to the FTP Server.
Does someone can help me to configure the FTP rules on the ASA 5505 to connet in activve and passive mode

You will see in attach my configuration

Thansk for your help

Axel
: Saved
:
ASA Version 7.2(4) 
!
hostname CYFW
domain-name cy-services.be
enable password password encrypted
passwd password encrypted
names
name 192.168.21.10 cysnt101
name 192.168.21.30 Ricoh
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.21.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.254.3 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 195.238.2.21
 name-server 195.238.2.22
 domain-name cy-services.be
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list outside_access_in extended permit tcp any interface outside eq ftp-data 
access-list outside_access_in extended permit ip any interface outside 
access-list inside_out extended permit icmp any any 
access-list inside_out extended permit ip any any 
access-list inside_nat0_outbound extended permit ip any 192.168.21.192 255.255.255.192 
access-list inbound_on_inside extended permit ip any any 
access-list Split_Tunnel_List standard permit 192.168.21.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool CYVPN 192.168.21.200-192.168.21.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp cysnt101 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface ftp-data cysnt101 ftp-data netmask 255.255.255.255 
access-group inbound_on_inside in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.21.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

group-policy cyvpn internal
group-policy cyvpn attributes
 dns-server value 192.168.21.10
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value cy-cy2.local
username user password RNuIMAMcS/GyHsRL encrypted
username user attributes
 vpn-group-policy cyvpn
tunnel-group cyvpn type ipsec-ra
tunnel-group cyvpn general-attributes
 address-pool CYVPN
 default-group-policy cyvpn
tunnel-group cyvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect ftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c9f3dfc90cfb95972888233f83f554ec
: end
asdm image disk0:/asdm-524.bin
asdm location cysnt101 255.255.255.255 inside
asdm location Ricoh 255.255.255.255 inside
no asdm history enable

Open in new window

0
Comment
Question by:ap-technology
  • 11
  • 10
22 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34959383
Just a question about your setup. I see the inside and outside have static private addresses and the DMZ gets an address through DHCP. Is that correct? And if so, why did you set it up that way?
0
 

Author Comment

by:ap-technology
ID: 34959400
The configuratation is like this

Internet ------ ISP Router ------ ASA 5505 ----- Internal Lan

I don't use DMZ, the FTP serveur is on a lan Serveur

The isp Router in static ip
For the lan, there is a indows serveur with DHCP serveur so that the reason of the static ip for the asa

Axel
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 34959419
So it looks like the router is doing nat as wel. You might want to have a look at that.
0
 

Author Comment

by:ap-technology
ID: 34968027
Yes my router does NAT

I change some configuration
LAN FTP server is on port 5021 and not on 21
I define on the FTP server a range of port for the passive mode

i put in attach the configuration of my ASA

The problem that i have for the moment, is when i try to connect from outside to the FTP, i can connect but i have the error message

Command:	MLSD
Response:	500 Syntax error, command unrecognized.
Error:	Failed to retrieve directory listing
Response:	421 Connection timed out.
Error:	Connection closed by server

Open in new window


can someone help my?

Thanks

Axel
: Saved
:
ASA Version 7.2(4) 
!
hostname CYFW
domain-name company.be
enable password PASSWORD encrypted
passwd PASSW0RD encrypted
names
name 192.168.21.10 cysnt101
name 192.168.21.30 Ricoh
name 192.168.21.254 LANIP
name 192.168.254.3 WANIP
name 192.168.254.1 ISPLANIP
!
interface Vlan1
 nameif inside
 security-level 100
 ip address LANIP 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address WANIP 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 195.238.2.21
 name-server 195.238.2.22
 domain-name company.be
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit ip any interface outside 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list outside_access_in extended permit tcp any interface outside eq ftp-data 
access-list inside_out extended permit icmp any any 
access-list inside_out extended permit ip any any 
access-list inside_nat0_outbound extended permit ip any 192.168.21.192 255.255.255.192 
access-list inbound_on_inside extended permit ip any any 
access-list Split_Tunnel_List standard permit 192.168.21.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool CYVPN 192.168.21.200-192.168.21.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp-data cysnt101 5020 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp cysnt101 5021 netmask 255.255.255.255 
access-group inbound_on_inside in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ISPLANIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.21.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

group-policy cyvpn internal
group-policy cyvpn attributes
 dns-server value 192.168.21.10
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value cy-cy2.local
username toto password PASSWORD encrypted
username toto attributes
 vpn-group-policy cyvpn
tunnel-group cyvpn type ipsec-ra
tunnel-group cyvpn general-attributes
 address-pool CYVPN
 default-group-policy cyvpn
tunnel-group cyvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect ftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:cf317b149b5322343f600d2ceedbacf6
: end
asdm image disk0:/asdm-524.bin
asdm location cysnt101 255.255.255.255 inside
asdm location Ricoh 255.255.255.255 inside
asdm location LANIP 255.255.255.255 inside
asdm location WANIP 255.255.255.255 inside
asdm location ISPLANIP 255.255.255.255 inside
no asdm history enable

Open in new window

0
 

Author Comment

by:ap-technology
ID: 34968039
i try a new connect by my 3G connexion and the error message is
Command:	MLSD
Response:	425 Can't open data connection.
Error:	Failed to retrieve directory listing
Error:	Disconnected from server: ECONNABORTED - Connection aborted

Open in new window


Thanks for your help
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968095
I am thinking. I vaguely remember something about the access list. Could you try to change:
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq ftp-data

to
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq ftp-data


And see if that helps?
0
 

Author Comment

by:ap-technology
ID: 34968451
Hi

I try that and it does not help me

I also try
access-list outside_access_in extended permit tcp any interface outside eq 2121
static (inside,outside) tcp interface 2121 FTPServerIP 2121 netmask 255.255.255.255
access-group outside_access_in in interface outside

Open in new window


for all the port that i define in passive mode from the fpt server

but no way

Thanks for your help!

Axel
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968480
Was it port 5021 or 2121?

And if you try the following

Allow the port from the ourisde:
access-list outside_access_in extended permit tcp any any eq 5021

And then make sure it's inspected:

access-list ftp-list extended permit tcp any any eq 5021

class-map ftp-class
  match access-list ftp-list

policy-map global_policy
  class ftp-class
   inspect ftp


0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968494
Also change the static accordingly

static (inside,outside) tcp interface 5021 cysnt101 5021 netmask 255.255.255.255

So you can directly connect to that port.
0
 

Author Comment

by:ap-technology
ID: 34968525
The FTP Server listening on port 5021
In the FTP configuration i can specify the range of port for the passive mode and that range is 2121-2125
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968555
So did you set up the inspect part for port 5021?

Quote from cisco:

In Active FTP mode, the client connects from a random unprivileged port (N>1023) to the command port (21) of the FTP server. Then the client starts to listen to port N+1 and sends the FTP command port N+1 to the FTP server. The server then connects back to the specified data ports of the client from its local data port, which is port 20.

In Passive FTP mode, the client initiates both connections to the server, which solves the problem of a firewall that filters the incoming data port connection to the client from the server. When an FTP connection is opened, the client opens two random unprivileged ports locally (N>1023 and N+1). The first port contacts the server on port 21. But instead of then issuing a port command and allowing the server to connect back to its data port, the client issues the PASV command. The result of this is that the server then opens a random unprivileged port (P>1023) and sends the port P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data. Without the inspection command configuration on the Security Appliance, FTP from inside users headed outbound works only in Passive mode. Also, users outside headed inbound to your FTP server are denied access.

Got that from: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:ap-technology
ID: 34968556
I try all the modification that you suggest but i have always the same error
Command:	MLSD
Response:	500 Syntax error, command unrecognized.
Error:	Failed to retrieve directory listing

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968561
Ok, if you look at the logging of the ASA. Anything showing there?
0
 

Author Comment

by:ap-technology
ID: 34968634
i don't see error message
0
 

Author Comment

by:ap-technology
ID: 34968650
how can i create a inspection for a specify port

policy-map global_policy
  class ftp-class
   inspect ftp

Open in new window


i need something like
policy-map global_policy
  class ftp-class
   inspect 5021

Open in new window


Thanks

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968656
Just like posted before ;)

access-list ftp-list extended permit tcp any any eq 5021

class-map ftp-class
  match access-list ftp-list

policy-map global_policy
  class ftp-class
   inspect ftp
0
 

Author Comment

by:ap-technology
ID: 34968704
no way always the same error message when i try to connect to the ftp server :'(
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34968753
Wait a sec.

Response:      500 Syntax error, command unrecognized.

Does the server know the MLSD command? What happens if you try from the inside network does it work or does it give the same error?
0
 

Author Comment

by:ap-technology
ID: 34968809
when i connet from the inside i don't have problem
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34969280
Right. Let's see if we can rule out any other possibilities.

What if you connect from outside the ASA but before the router? So let's say you put the client in the place where the router is now.

And also keep an eye on the ASA logs while you're at it.
0
 

Author Comment

by:ap-technology
ID: 34969500
i am not in that offcie for the moment
To go on the configuration i connect by vpn
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38446173
you said further up that the router does NAT also, what is the IP that it is NATing to?
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now