[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1526
  • Last Modified:

Passive FTP Through Cisco ASA 5505 To 2008 R2 FTP Server

HELP! I have gone through a bunch of different articles on EE, among others, and am at wits end.  I need some fresh eyes to look at this config, and tell me if the problem is on my config, or with the FTP server.

I have a 2008 R2 server with an FTP site running.  I can connect to the FTP site internally with cmd line and with IE, no problems.  Externally, I can only connect to the site using the cmd line, and if I turn off passive mode in IE.  

Below is my config.  Let me know what you think!

ASA Version 8.2(1)
!
hostname ASA
domain-name domain.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
name 192.168.7.11 SageCRM
name 192.168.7.12 FTPServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name aktion.com
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service Remote tcp
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 25
5.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255
.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.
255.248.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 255
.255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.
255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.2
55.248.0
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 objec
t-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.235 objec
t-group DM_INLINE_TCP_0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 range
 65000 65125
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 161
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 162
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmp
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmpt
rap
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq syslo
g
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
61
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
62
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmp
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmptrap
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
yslog
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx SageCRM netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx FTPServer netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.0 255.255.255.0 inside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
snmp-server host outside 192.168.2.70 community toarms!
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map akt 20 match address domain
crypto map akt 20 set peer xxx.xxx.xxx.xxx
crypto map akt 20 set transform-set aes256-md5
crypto map akt interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet 192.168.7.0 255.255.255.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.192 outside
telnet timeout 5
ssh 192.168.7.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.7.100-192.168.7.200 inside
dhcpd dns 192.168.7.1 interface inside
dhcpd domain domain.com interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0a8c7799ff345e8a86bf711b02e42914
: end
0
ThaVWMan
Asked:
ThaVWMan
  • 4
  • 2
1 Solution
 
Craig BeckCommented:
The FTP mode passive option sets FTP from the ASA, not the LAN.

Use the fixup command instead...
 http://www.netcraftsmen.net/resources/archived-articles/379.html
0
 
ThaVWManAuthor Commented:
The fixup commands are no longer a part of the IOS software on these ASA's.  This part of the config is supposed to be the replacement for the fixup commands:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ThaVWMan: You are perfectly right, your service-policy should take care of all inspection needed for active as well as passive ftp.  I cant see anything wrong in your config causing this, it feels like the source of your problem is something else than the ASA. Please keep us updated...

/Kvistofta
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Craig BeckCommented:
My bad for posting after bedtime guys!  VW is correct, fixup is now legacy.  
0
 
ThaVWManAuthor Commented:
Sorry for the delay in keeping this question going, but we are still having this issue!  Since it seems that everyone feels the ASA config is correct, what about anything I should be looking for on the 2008 R2 side of things?  Anything I need to be adding/changing on the windows firewall?  Something I should be changing in the IIS config for the FTP site?  Any help is appreciated!
0
 
ThaVWManAuthor Commented:
Found that the issue was not with the ASA after all, was configuration settings in the FTP server itself!
0
 
ThaVWManAuthor Commented:
Issue was not related to the asked question.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now