Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1515
  • Last Modified:

Passive FTP Through Cisco ASA 5505 To 2008 R2 FTP Server

HELP! I have gone through a bunch of different articles on EE, among others, and am at wits end.  I need some fresh eyes to look at this config, and tell me if the problem is on my config, or with the FTP server.

I have a 2008 R2 server with an FTP site running.  I can connect to the FTP site internally with cmd line and with IE, no problems.  Externally, I can only connect to the site using the cmd line, and if I turn off passive mode in IE.  

Below is my config.  Let me know what you think!

ASA Version 8.2(1)
!
hostname ASA
domain-name domain.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
name 192.168.7.11 SageCRM
name 192.168.7.12 FTPServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name aktion.com
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service Remote tcp
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 25
5.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255
.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.
255.248.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 255
.255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.
255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.2
55.248.0
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 objec
t-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.235 objec
t-group DM_INLINE_TCP_0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 range
 65000 65125
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 161
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 162
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmp
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmpt
rap
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq syslo
g
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
61
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
62
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmp
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmptrap
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
yslog
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx SageCRM netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx FTPServer netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.0 255.255.255.0 inside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
snmp-server host outside 192.168.2.70 community toarms!
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map akt 20 match address domain
crypto map akt 20 set peer xxx.xxx.xxx.xxx
crypto map akt 20 set transform-set aes256-md5
crypto map akt interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet 192.168.7.0 255.255.255.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.192 outside
telnet timeout 5
ssh 192.168.7.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.7.100-192.168.7.200 inside
dhcpd dns 192.168.7.1 interface inside
dhcpd domain domain.com interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0a8c7799ff345e8a86bf711b02e42914
: end
0
ThaVWMan
Asked:
ThaVWMan
  • 4
  • 2
1 Solution
 
Craig BeckCommented:
The FTP mode passive option sets FTP from the ASA, not the LAN.

Use the fixup command instead...
 http://www.netcraftsmen.net/resources/archived-articles/379.html
0
 
ThaVWManAuthor Commented:
The fixup commands are no longer a part of the IOS software on these ASA's.  This part of the config is supposed to be the replacement for the fixup commands:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ThaVWMan: You are perfectly right, your service-policy should take care of all inspection needed for active as well as passive ftp.  I cant see anything wrong in your config causing this, it feels like the source of your problem is something else than the ASA. Please keep us updated...

/Kvistofta
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Craig BeckCommented:
My bad for posting after bedtime guys!  VW is correct, fixup is now legacy.  
0
 
ThaVWManAuthor Commented:
Sorry for the delay in keeping this question going, but we are still having this issue!  Since it seems that everyone feels the ASA config is correct, what about anything I should be looking for on the 2008 R2 side of things?  Anything I need to be adding/changing on the windows firewall?  Something I should be changing in the IIS config for the FTP site?  Any help is appreciated!
0
 
ThaVWManAuthor Commented:
Found that the issue was not with the ASA after all, was configuration settings in the FTP server itself!
0
 
ThaVWManAuthor Commented:
Issue was not related to the asked question.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now