Solved

Passive FTP Through Cisco ASA 5505 To 2008 R2 FTP Server

Posted on 2011-03-11
7
1,471 Views
Last Modified: 2012-05-11
HELP! I have gone through a bunch of different articles on EE, among others, and am at wits end.  I need some fresh eyes to look at this config, and tell me if the problem is on my config, or with the FTP server.

I have a 2008 R2 server with an FTP site running.  I can connect to the FTP site internally with cmd line and with IE, no problems.  Externally, I can only connect to the site using the cmd line, and if I turn off passive mode in IE.  

Below is my config.  Let me know what you think!

ASA Version 8.2(1)
!
hostname ASA
domain-name domain.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
name 192.168.7.11 SageCRM
name 192.168.7.12 FTPServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name aktion.com
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service Remote tcp
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 25
5.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255
.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.
255.248.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 255
.255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.
255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.2
55.248.0
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 objec
t-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.235 objec
t-group DM_INLINE_TCP_0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 range
 65000 65125
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 161
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 162
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmp
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmpt
rap
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq syslo
g
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
61
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
62
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmp
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmptrap
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
yslog
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx SageCRM netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx FTPServer netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.0 255.255.255.0 inside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
snmp-server host outside 192.168.2.70 community toarms!
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map akt 20 match address domain
crypto map akt 20 set peer xxx.xxx.xxx.xxx
crypto map akt 20 set transform-set aes256-md5
crypto map akt interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet 192.168.7.0 255.255.255.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.192 outside
telnet timeout 5
ssh 192.168.7.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.7.100-192.168.7.200 inside
dhcpd dns 192.168.7.1 interface inside
dhcpd domain domain.com interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0a8c7799ff345e8a86bf711b02e42914
: end
0
Comment
Question by:ThaVWMan
  • 4
  • 2
7 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35113497
The FTP mode passive option sets FTP from the ASA, not the LAN.

Use the fixup command instead...
 http://www.netcraftsmen.net/resources/archived-articles/379.html
0
 
LVL 9

Author Comment

by:ThaVWMan
ID: 35113750
The fixup commands are no longer a part of the IOS software on these ASA's.  This part of the config is supposed to be the replacement for the fixup commands:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35114579
ThaVWMan: You are perfectly right, your service-policy should take care of all inspection needed for active as well as passive ftp.  I cant see anything wrong in your config causing this, it feels like the source of your problem is something else than the ASA. Please keep us updated...

/Kvistofta
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 35115452
My bad for posting after bedtime guys!  VW is correct, fixup is now legacy.  
0
 
LVL 9

Author Comment

by:ThaVWMan
ID: 35226979
Sorry for the delay in keeping this question going, but we are still having this issue!  Since it seems that everyone feels the ASA config is correct, what about anything I should be looking for on the 2008 R2 side of things?  Anything I need to be adding/changing on the windows firewall?  Something I should be changing in the IIS config for the FTP site?  Any help is appreciated!
0
 
LVL 9

Accepted Solution

by:
ThaVWMan earned 0 total points
ID: 35385423
Found that the issue was not with the ASA after all, was configuration settings in the FTP server itself!
0
 
LVL 9

Author Closing Comment

by:ThaVWMan
ID: 35414384
Issue was not related to the asked question.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question