Solved

Passive FTP Through Cisco ASA 5505 To 2008 R2 FTP Server

Posted on 2011-03-11
7
1,327 Views
Last Modified: 2012-05-11
HELP! I have gone through a bunch of different articles on EE, among others, and am at wits end.  I need some fresh eyes to look at this config, and tell me if the problem is on my config, or with the FTP server.

I have a 2008 R2 server with an FTP site running.  I can connect to the FTP site internally with cmd line and with IE, no problems.  Externally, I can only connect to the site using the cmd line, and if I turn off passive mode in IE.  

Below is my config.  Let me know what you think!

ASA Version 8.2(1)
!
hostname ASA
domain-name domain.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
name 192.168.7.11 SageCRM
name 192.168.7.12 FTPServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name aktion.com
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service Remote tcp
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 25
5.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255
.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.
255.248.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 255
.255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.
255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.2
55.248.0
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 objec
t-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.235 objec
t-group DM_INLINE_TCP_0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 range
 65000 65125
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 161
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 162
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmp
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmpt
rap
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq syslo
g
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
61
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
62
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmp
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmptrap
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
yslog
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx SageCRM netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx FTPServer netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.0 255.255.255.0 inside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
snmp-server host outside 192.168.2.70 community toarms!
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map akt 20 match address domain
crypto map akt 20 set peer xxx.xxx.xxx.xxx
crypto map akt 20 set transform-set aes256-md5
crypto map akt interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet 192.168.7.0 255.255.255.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.192 outside
telnet timeout 5
ssh 192.168.7.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.7.100-192.168.7.200 inside
dhcpd dns 192.168.7.1 interface inside
dhcpd domain domain.com interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0a8c7799ff345e8a86bf711b02e42914
: end
0
Comment
Question by:ThaVWMan
  • 4
  • 2
7 Comments
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
The FTP mode passive option sets FTP from the ASA, not the LAN.

Use the fixup command instead...
 http://www.netcraftsmen.net/resources/archived-articles/379.html
0
 
LVL 9

Author Comment

by:ThaVWMan
Comment Utility
The fixup commands are no longer a part of the IOS software on these ASA's.  This part of the config is supposed to be the replacement for the fixup commands:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
ThaVWMan: You are perfectly right, your service-policy should take care of all inspection needed for active as well as passive ftp.  I cant see anything wrong in your config causing this, it feels like the source of your problem is something else than the ASA. Please keep us updated...

/Kvistofta
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
My bad for posting after bedtime guys!  VW is correct, fixup is now legacy.  
0
 
LVL 9

Author Comment

by:ThaVWMan
Comment Utility
Sorry for the delay in keeping this question going, but we are still having this issue!  Since it seems that everyone feels the ASA config is correct, what about anything I should be looking for on the 2008 R2 side of things?  Anything I need to be adding/changing on the windows firewall?  Something I should be changing in the IIS config for the FTP site?  Any help is appreciated!
0
 
LVL 9

Accepted Solution

by:
ThaVWMan earned 0 total points
Comment Utility
Found that the issue was not with the ASA after all, was configuration settings in the FTP server itself!
0
 
LVL 9

Author Closing Comment

by:ThaVWMan
Comment Utility
Issue was not related to the asked question.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now