Solved

Passive FTP Through Cisco ASA 5505 To 2008 R2 FTP Server

Posted on 2011-03-11
7
1,489 Views
Last Modified: 2012-05-11
HELP! I have gone through a bunch of different articles on EE, among others, and am at wits end.  I need some fresh eyes to look at this config, and tell me if the problem is on my config, or with the FTP server.

I have a 2008 R2 server with an FTP site running.  I can connect to the FTP site internally with cmd line and with IE, no problems.  Externally, I can only connect to the site using the cmd line, and if I turn off passive mode in IE.  

Below is my config.  Let me know what you think!

ASA Version 8.2(1)
!
hostname ASA
domain-name domain.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
name 192.168.7.11 SageCRM
name 192.168.7.12 FTPServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name aktion.com
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service Remote tcp
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 25
5.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.
255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255
.255.255.0
access-list domain extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.
255.248.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.253.0 255
.255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 192.168.20.0 255.
255.255.0
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 xxx.xxx.xxx.xxx 255.2
55.248.0
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 objec
t-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.235 objec
t-group DM_INLINE_TCP_0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.236 range
 65000 65125
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 161
access-list snmp extended permit tcp host 192.168.7.1 host 192.168.2.70 eq 162
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmp
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq snmpt
rap
access-list snmp extended permit udp host 192.168.7.1 host 192.168.2.70 eq syslo
g
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
61
access-list snmp extended permit tcp host xxx.xxx.xxx.234 host 192.168.2.70 eq 1
62
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmp
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
nmptrap
access-list snmp extended permit udp host xxx.xxx.xxx.234 host 192.168.2.70 eq s
yslog
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx SageCRM netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx FTPServer netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.7.0 255.255.255.0 inside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
http xxx.xxx.xxx.xxx 255.255.255.192 outside
snmp-server host outside 192.168.2.70 community toarms!
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map akt 20 match address domain
crypto map akt 20 set peer xxx.xxx.xxx.xxx
crypto map akt 20 set transform-set aes256-md5
crypto map akt interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet 192.168.7.0 255.255.255.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.192 outside
telnet timeout 5
ssh 192.168.7.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.0 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.7.100-192.168.7.200 inside
dhcpd dns 192.168.7.1 interface inside
dhcpd domain domain.com interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0a8c7799ff345e8a86bf711b02e42914
: end
0
Comment
Question by:ThaVWMan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35113497
The FTP mode passive option sets FTP from the ASA, not the LAN.

Use the fixup command instead...
 http://www.netcraftsmen.net/resources/archived-articles/379.html
0
 
LVL 9

Author Comment

by:ThaVWMan
ID: 35113750
The fixup commands are no longer a part of the IOS software on these ASA's.  This part of the config is supposed to be the replacement for the fixup commands:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35114579
ThaVWMan: You are perfectly right, your service-policy should take care of all inspection needed for active as well as passive ftp.  I cant see anything wrong in your config causing this, it feels like the source of your problem is something else than the ASA. Please keep us updated...

/Kvistofta
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 46

Expert Comment

by:Craig Beck
ID: 35115452
My bad for posting after bedtime guys!  VW is correct, fixup is now legacy.  
0
 
LVL 9

Author Comment

by:ThaVWMan
ID: 35226979
Sorry for the delay in keeping this question going, but we are still having this issue!  Since it seems that everyone feels the ASA config is correct, what about anything I should be looking for on the 2008 R2 side of things?  Anything I need to be adding/changing on the windows firewall?  Something I should be changing in the IIS config for the FTP site?  Any help is appreciated!
0
 
LVL 9

Accepted Solution

by:
ThaVWMan earned 0 total points
ID: 35385423
Found that the issue was not with the ASA after all, was configuration settings in the FTP server itself!
0
 
LVL 9

Author Closing Comment

by:ThaVWMan
ID: 35414384
Issue was not related to the asked question.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question