ASA 5510 on FTP Downloads "The address translation slot was deleted."

Hi,

I am putting a ASA5510 in front of a ISA Server 2004 with Websense and having a problem with downloading anything via FTP.

Here are my test results:
1) When I go out through a PC directly to the ASA I can download FTP files and all other web content.
2) When I go out through a PC directly to the ISA then out to the internet everything works fine.
3) When I go out through a PC directly to the ISA then through the firewall I can't download FTP files. All other web content works fine.

I receive the following errors from Test 3):

On ASA:

6      Feb 27 2011      23:31:51            172.20.2.100      20699      173.71.64.133      1538      Teardown dynamic TCP translation from inside:172.20.2.100/20699 to FIOS:x.x.x.x(my public IP)/1538 duration 0:00:30

I'm doing NAT on my ASA and apparently on my ISA. I believe this is the issue. The ASA has a public IP. Between the inside ISA  port and outside ASA port I have a private nework with the range 172.20.2.x. The inside network where the PC's reside and inside port of the ISA are on 10.35.208.x
LVL 1
First LastAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First LastAuthor Commented:
Sorry - the ISA server is giving the following error on FTP downloads from IE:

ISA Server: extended error message :
200 Type set to I.
500 Illegal PORT Command

0
torvirCommented:
You should try to turn on inspection of ftp-traffic in ASA.
If you have a global policy in tha ASA-config, just add "inspect ftp" to it.
Look for a command like "service-policy xxxx global" and add it there.

Here is how you add a global policy with ftp-inspection from scratch:

policy-map global_policy
 class inspection_default
  inspect ftp
service-policy global_policy global

0
First LastAuthor Commented:
The Websense ISA Server isn't supposed to be inline with the Cisco ASA. I found this article below that describes how to use the url filtering feature of the ASA to reach out to Websense.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.