Solved

ASA 5510 on FTP Downloads "The address translation slot was deleted."

Posted on 2011-02-28
4
1,866 Views
Last Modified: 2012-05-11
Hi,

I am putting a ASA5510 in front of a ISA Server 2004 with Websense and having a problem with downloading anything via FTP.

Here are my test results:
1) When I go out through a PC directly to the ASA I can download FTP files and all other web content.
2) When I go out through a PC directly to the ISA then out to the internet everything works fine.
3) When I go out through a PC directly to the ISA then through the firewall I can't download FTP files. All other web content works fine.

I receive the following errors from Test 3):

On ASA:

6      Feb 27 2011      23:31:51            172.20.2.100      20699      173.71.64.133      1538      Teardown dynamic TCP translation from inside:172.20.2.100/20699 to FIOS:x.x.x.x(my public IP)/1538 duration 0:00:30

I'm doing NAT on my ASA and apparently on my ISA. I believe this is the issue. The ASA has a public IP. Between the inside ISA  port and outside ASA port I have a private nework with the range 172.20.2.x. The inside network where the PC's reside and inside port of the ISA are on 10.35.208.x
0
Comment
Question by:First Last
  • 3
4 Comments
 
LVL 1

Author Comment

by:First Last
ID: 34998918
Sorry - the ISA server is giving the following error on FTP downloads from IE:

ISA Server: extended error message :
200 Type set to I.
500 Illegal PORT Command

0
 
LVL 5

Expert Comment

by:torvir
ID: 34999273
You should try to turn on inspection of ftp-traffic in ASA.
If you have a global policy in tha ASA-config, just add "inspect ftp" to it.
Look for a command like "service-policy xxxx global" and add it there.

Here is how you add a global policy with ftp-inspection from scratch:

policy-map global_policy
 class inspection_default
  inspect ftp
service-policy global_policy global

0
 
LVL 1

Accepted Solution

by:
First Last earned 0 total points
ID: 35007153
The Websense ISA Server isn't supposed to be inline with the Cisco ASA. I found this article below that describes how to use the url filtering feature of the ASA to reach out to Websense.
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 35045422
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now