cymrich
asked on
ASA 5505 with 8.3(1) trying to get FTP working
I recently got an ASA and replaced a pix 506 that kept locking up on me. I stumbled through getting the NAT stuff configured since it is so drastically different in 8.3 and followed some instructions I found with google to set up my ftp server. now it works for internet but when I tried to connect to my FTP I can't connect. I've tried everything I can think of to fix it but still can't connect at all.
here is my config:
ASA Version 8.3(1)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network FTP
host 192.168.0.10
access-list outside_access_in extended permit tcp any object FTP eq ftp
pager lines 24
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic obj_any interface
!
object network FTP
nat (inside,outside) static interface service tcp ftp ftp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa local authentication attempts max-fail 5
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd dns 1.2.3.4
dhcpd auto_config outside
!
dhcpd address 192.168.0.20-192.168.0.40 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c1d260b57bd
: end
here is my config:
ASA Version 8.3(1)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network FTP
host 192.168.0.10
access-list outside_access_in extended permit tcp any object FTP eq ftp
pager lines 24
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic obj_any interface
!
object network FTP
nat (inside,outside) static interface service tcp ftp ftp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa local authentication attempts max-fail 5
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd dns 1.2.3.4
dhcpd auto_config outside
!
dhcpd address 192.168.0.20-192.168.0.40 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c1d260b57bd
: end
Robert Sutton Jr
Can you connect to it from a local host?
ASKER
yes, it works from an local host.
I believe this is what you need...
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
service-policy asa_global_fw_policy global
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
service-policy asa_global_fw_policy global
ASKER
@craigbeck
those settings you gave me are very similar to the ones that are already there at the end of the config. I tried them anyway, but there appears to be no change. I still can not get FTP to work through the firewall.
those settings you gave me are very similar to the ones that are already there at the end of the config. I tried them anyway, but there appears to be no change. I still can not get FTP to work through the firewall.
ASKER
I decided to try for something less complex and go with just https instead of ftp to see if I could get that working. I added the object and the nat line and then the ACL. it still doesn''t work. I also added allow icmp any any... that at least works. so my current acl is:
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any interface outside eq https
and the nat line under the object is:
nat (inside,outside) static interface service tcp https https
I turned on terminal monitor and when I try to access the web interface of my NAS I get a bunch of:
Sep 27 2011 16:20:47: %ASA-3-710003: TCP access denied by ACL from <source ip>/58561 to outside:<outside interfaace ip>/443
I've tried many variations of the ACL and can't seem to make any work.
Also, with terminal monitor on, before I removed all the ftp ACLs I noticed that no logs were displayed when I tried to connect to the FTP.
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any interface outside eq https
and the nat line under the object is:
nat (inside,outside) static interface service tcp https https
I turned on terminal monitor and when I try to access the web interface of my NAS I get a bunch of:
Sep 27 2011 16:20:47: %ASA-3-710003: TCP access denied by ACL from <source ip>/58561 to outside:<outside interfaace ip>/443
I've tried many variations of the ACL and can't seem to make any work.
Also, with terminal monitor on, before I removed all the ftp ACLs I noticed that no logs were displayed when I tried to connect to the FTP.
Can you specify destination Ip of the host and if you actually want ALL web(http) traffic to be able to traverse to spcified host? Let us know....ANd we can do it via ftp...but let us know a little more info, like destination host Ip, hostname, or any other info etc, and what you actually want accessing that or said destination host....Give us that info and we'll give you the solution for it...Hope this helps.
Let us know,
T_W
Let us know,
T_W
ASKER
the destination IP would be the internal address of my ftp server (which has a web interfqace and requires ssl) that IP is 192.168.0.10/24. I don't usually allow web traffic through my firewalls at all so this is really just for testing purposes until I figure out whats wrong and then try to apply the solution to allowing ftp. (in other words yes, all https can be forwarded to that destination). hostname would be HOME... it's just an FTP enabled NAS... I never access it by hostname... only IP. This was working fine on the pix 506 that I replaced with this ASA... and no changes have been made to the NAS at all (192.168.0.10 is set statically)
I have tried adding multiple versions of the acl that specify the host by IP or by object name and so far I have not managed to get anything to work. every time I try to access the web interface I get the same log messages. the source IP being my IP address I am trying from (using my work computer) and the external interface IP being the ISP assigned DHCP address attached to my outside interface.
I have tried adding multiple versions of the acl that specify the host by IP or by object name and so far I have not managed to get anything to work. every time I try to access the web interface I get the same log messages. the source IP being my IP address I am trying from (using my work computer) and the external interface IP being the ISP assigned DHCP address attached to my outside interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
managed to solve it myself... thanks for the assistance guys