First Last
asked on
ASA 5510 on FTP Downloads "The address translation slot was deleted."
Hi,
I am putting a ASA5510 in front of a ISA Server 2004 with Websense and having a problem with downloading anything via FTP.
Here are my test results:
1) When I go out through a PC directly to the ASA I can download FTP files and all other web content.
2) When I go out through a PC directly to the ISA then out to the internet everything works fine.
3) When I go out through a PC directly to the ISA then through the firewall I can't download FTP files. All other web content works fine.
I receive the following errors from Test 3):
On ASA:
6 Feb 27 2011 23:31:51 172.20.2.100 20699 173.71.64.133 1538 Teardown dynamic TCP translation from inside:172.20.2.100/20699 to FIOS:x.x.x.x(my public IP)/1538 duration 0:00:30
I'm doing NAT on my ASA and apparently on my ISA. I believe this is the issue. The ASA has a public IP. Between the inside ISA port and outside ASA port I have a private nework with the range 172.20.2.x. The inside network where the PC's reside and inside port of the ISA are on 10.35.208.x
I am putting a ASA5510 in front of a ISA Server 2004 with Websense and having a problem with downloading anything via FTP.
Here are my test results:
1) When I go out through a PC directly to the ASA I can download FTP files and all other web content.
2) When I go out through a PC directly to the ISA then out to the internet everything works fine.
3) When I go out through a PC directly to the ISA then through the firewall I can't download FTP files. All other web content works fine.
I receive the following errors from Test 3):
On ASA:
6 Feb 27 2011 23:31:51 172.20.2.100 20699 173.71.64.133 1538 Teardown dynamic TCP translation from inside:172.20.2.100/20699 to FIOS:x.x.x.x(my public IP)/1538 duration 0:00:30
I'm doing NAT on my ASA and apparently on my ISA. I believe this is the issue. The ASA has a public IP. Between the inside ISA port and outside ASA port I have a private nework with the range 172.20.2.x. The inside network where the PC's reside and inside port of the ISA are on 10.35.208.x
You should try to turn on inspection of ftp-traffic in ASA.
If you have a global policy in tha ASA-config, just add "inspect ftp" to it.
Look for a command like "service-policy xxxx global" and add it there.
Here is how you add a global policy with ftp-inspection from scratch:
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
If you have a global policy in tha ASA-config, just add "inspect ftp" to it.
Look for a command like "service-policy xxxx global" and add it there.
Here is how you add a global policy with ftp-inspection from scratch:
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ISA Server: extended error message :
200 Type set to I.
500 Illegal PORT Command