[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3257
  • Last Modified:

Passive FTP Through ASA5520 firewall v8.2

I have a Cisco ASA5520 Firewall.  We recently changed a back-end FTP server from Windows Server 2003 to Windows Server 2008 running FTP v.7.5.  

Ever since the change, we have been unable to get Passive FTP to work.  Active FTP works just fine.

From what I've read it looks like we have the ASA set up for Passive FTP, but we are obviously missing something.  An external client connects but eventually times-out when trying to enumerate the directory structure.

I've included our running config.  Thank you for your help.
Saved
:
ASA Version 8.2(2) 


names
name X.X.X.X(int_IP) FTPServer
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address X.X.X.X(ext_IP) 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address X.X.X.X(int_IP) 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address X.X.X.X(int_IP) 255.255.255.0 
 management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list outside-to-inside extended permit icmp any any 
access-list outside-to-inside extended permit tcp any any eq https 
access-list outside-to-inside extended permit tcp any any eq www 
access-list outside-to-inside extended permit tcp any host X.X.X.X(ext_IP) eq smtp 
access-list outside-to-inside extended permit tcp any host X.X.X.X(ext_IP) eq 50000 
access-list outside-to-inside extended permit udp any any 
access-list outside-to-inside extended permit tcp any host X.X.X.X(ext_IP) eq ftp 
access-list outside-to-inside extended permit tcp any host X.X.X.X(ext_IP) eq ftp-data 
access-list nonat extended permit ip X.X.X.X(int_IP) 255.0.0.0 X.X.X.X(int_IP) 255.255.255.0 
access-list nonat extended permit ip X.X.X.X(int_IP) 255.0.0.0 X.X.X.X(int_IP) 255.255.255.0 
access-list splittunnel extended permit ip X.X.X.X(int_IP) 255.0.0.0 X.X.X.X(int_IP) 255.255.255.0 
access-list tl_splittunnel extended permit ip host X.X.X.X(int_IP) X.X.X.X(int_IP) 255.255.255.0 
access-list tl_splittunnel extended permit ip host X.X.X.X(int_IP) X.X.X.X(int_IP) 255.255.255.0 
access-list tl_splittunnel extended permit ip host X.X.X.X(int_IP) X.X.X.X(int_IP) 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm warnings
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside X.X.X.X(int_IP) 2055
mtu Outside 1500
mtu inside 1500
mtu management 1500
ip local pool clientpool X.X.X.X(int_IP)-X.X.X.X(int_IP) mask 255.255.255.255
ip local pool eti X.X.X.X(int_IP)-X.X.X.X(int_IP) mask 255.255.255.0
ip local pool vpnclientpool X.X.X.X(int_IP)-X.X.X.X(int_IP) mask 255.255.255.0
ip local pool vendorpool X.X.X.X(int_IP)-X.X.X.X(int_IP) mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp interface www X.X.X.X(int_IP) www netmask 255.255.255.255 
static (inside,Outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255 
static (inside,Outside) tcp interface ftp-data FTPServer ftp-data netmask 255.255.255.255 
static (inside,Outside) X.X.X.X(ext_IP) FTPServer netmask 255.255.255.255 
static (inside,Outside) X.X.X.X(ext_IP) X.X.X.X(int_IP) netmask 255.255.255.255 
access-group outside-to-inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.X(ext_IP) 1
route inside X.X.X.X(int_IP) 255.255.255.0 X.X.X.X(int_IP) 1
route inside X.X.X.X(int_IP) 255.255.255.0 X.X.X.X(int_IP) 1
route inside X.X.X.X(int_IP) 255.255.255.0 X.X.X.X(int_IP) 1
route inside 192.168.150.0 255.255.255.0 X.X.X.X(int_IP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host X.X.X.X(int_IP)
 timeout 20
 key *****
aaa-server test protocol radius
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http X.X.X.X(int_IP) 255.255.255.0 management
http X.X.X.X(int_IP) 255.255.255.0 management
http X.X.X.X(int_IP) 255.255.0.0 inside
snmp-server host inside X.X.X.X(int_IP) community ***** version 2c
no snmp-server location
snmp-server contact 
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set tunnel esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map remote 10 set transform-set tunnel
crypto map tunnel 65535 ipsec-isakmp dynamic remote
crypto map tunnel interface Outside
crypto ca server 
 shutdown
 smtp from-address admin@bob.null
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 43200
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

ssh timeout 20
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address X.X.X.X(int_IP)-X.X.X.X(int_IP) management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server X.X.X.X(int_IP) source inside prefer
ntp server 128.118.25.5 source Outside
webvpn
 enable Outside
 enable inside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.5.0217-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy sslvpn internal
group-policy sslvpn attributes
 wins-server value X.X.X.X(int_IP)
 dns-server value X.X.X.X(int_IP)
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 webvpn
  svc ask enable default svc
group-policy DfltGrpPolicy attributes
 wins-server value X.X.X.X(int_IP)
 dns-server value X.X.X.X(int_IP)
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
tunnel-group users type remote-access
tunnel-group users general-attributes
 address-pool vpnclientpool
 authentication-server-group RADIUS
tunnel-group users ipsec-attributes
 pre-shared-key *****
tunnel-group sslvpn type remote-access
tunnel-group sslvpn general-attributes
 address-pool vpnclientpool
 authentication-server-group RADIUS
 default-group-policy sslvpn
tunnel-group sslvpn webvpn-attributes
 group-alias sslvpn enable
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
class-map bob
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ip-options 
  inspect netbios 
  inspect tftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect sunrpc 
  inspect xdmcp 
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect sip  
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3ad52ba842b5d56aee622e4a1d82bc02
: end
asdm image disk0:/asdm-625.bin
asdm history enable

Open in new window

0
aagbo
Asked:
aagbo
  • 8
  • 4
  • 4
3 Solutions
 
rscottvanCommented:
Try adding the default-inspection-traffic to the inspection_default class-map.  (Your global policy is using this class-map, not "global-class"

Here is the command you should run:

class-map inspection_default
 match default-inspection-traffic
0
 
aagboAuthor Commented:
I have that established in the config but now I am getting a slightly different error on my FTP client, but it still is unable to enumerate the folder structure.  See the error from the FTP client:

Status: Resolving address of blah.com
Status: Connecting to x.x.x.x(IP)
Status: Connected, waiting for welcome message
Reply: 220 Microsoft FTP Service
Command: CLNT http://ftptest.net on behalf of x.x.x.x(IP)
Reply: 500 'CLNT http://ftptest.net on behalf of x.x.x.x(IP)': command not understood.
Command: USER blah
Reply: 331 Password required for blah.
Command: PASS **********
Reply: 230-Directory has 47,421,693,952 bytes of disk space available.
Reply: 230 User logged in.
Command: SYST
Reply: 215 Windows_NT
Command: FEAT
Reply: 211-Extended features supported:
Reply: LANG EN*
Reply: UTF8
Reply: AUTH TLS;TLS-C;SSL;TLS-P;
Reply: PBSZ
Reply: PROT C;P;
Reply: CCC
Reply: HOST
Reply: SIZE
Reply: MDTM
Reply: REST STREAM
Reply: 211 END
Command: PWD
Reply: 257 "/" is current directory.
Status: Current path is /
Command: TYPE I
Reply: 200 Type set to I.
Command: PASV
Reply: 227 Entering Passive Mode (x,x,x,x,197,15).
Command: LIST
Reply: 150 Opening BINARY mode data connection.
Error: Connection timed out
0
 
AlexPaceCommented:
The server told the client to connect on port 50447.

Most FTP Server software includes a feature to specify a port range for use as the passive mode data channel.  A good rule of thumb is to make the range at least twice as big as the maximum number of expected simultaneous clients.

If the FTP Server software was configured to only use, for example, ports 50000 through 50100 then you could just forward those ports if nothing else works.  This is what you have to do on firewalls that don't support FTP protocol inspection.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
aagboAuthor Commented:
The cisco firewall is configured for FTP Protocol inspection:

policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect netbios
  inspect tftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect dns migrated_dns_map_1
 inspect ftp
  inspect sip  
0
 
rscottvanCommented:
Do you have the outside ip from your firewall configured in IIS?  (I blacked it out here for obvious reasons)

FTP Firewall Support in IIS 7.5
0
 
aagboAuthor Commented:
When I do that, a couple things happen:

1. Internal FTP stops working
2. I get 2 warnings in the Cisco Syslog.  They are:

4      Oct 21 2011      11:32:32      406002                              FTP port command different address: FTPServer(x.x.x.x(ext_ip)) to 62.75.138.232 on interface inside
and
4      Oct 21 2011      11:32:32      507003      62.75.138.232      57868      FTPServer      21      tcp flow from Outside:62.75.138.232/57868 to inside:FTPServer/21 terminated by inspection engine, reason - inspector drop reset.
0
 
rscottvanCommented:
when you say "internal", are the clients in the same security zone as the server?
0
 
aagboAuthor Commented:
Yes.  "internal" to the firewall.  When they connect, they go direct to the FTP server.
0
 
AlexPaceCommented:
When a firewall supports FTP inspection it will usually automatically translate the internal ip address on the server's PASV response so that the client receives an external IP instead of the 10.x.x.x or 192.168.x.x. address that the FTP Server actually sent in the pasv response.
0
 
aagboAuthor Commented:
The firewall is doing that.  For example: If I turn off inspection, I get an error from my FTP client that looks like: Reply: 227 Entering Passive Mode (10,1,1,27,19,143).

When I turn FTP inspection back on, I now get the error: Reply: 227 Entering Passive Mode (x,x,x,x(external IP),19,143).  

The timeout appears to be when it tries to enumerate the directories.
0
 
rscottvanCommented:
What are your settings in IIS for FTP directory listing?
0
 
AlexPaceCommented:
When the client gets that message [227 Entering Passive Mode (x,x,x,x-,19,143).]  The clinet is going to try to open a data channel to x.x.x.x port 5007  

You get the port 5007 from 19,143 like this:
(19 * 256) + 143 = 5007

So your client is going to need to be able to make an outgoing connection to this address and port and your firewall is going to have to allow it coming in and then forward it to the correct 10.1.1.27 server and the server is going to have to accept it.
0
 
aagboAuthor Commented:
So, I've added port forwarding for 5000-6000.  My config now looks like this:

object-group service FTP-PASV tcp
 port-object range 5000 6000

with an access list of:

access-list outside-to-inside extended permit tcp any host x.x.x.x(ext_IP) object-group FTP-PASV

0
 
aagboAuthor Commented:
And directory browsing is set to MS-DOS and all directory listing options are unchecked.
0
 
AlexPaceCommented:
I don't think it is a permisisons problem on the server because, if that was the case, we would most likely see some negative response from the LIST command instead of the 150 which indicates that the server has the list ready for the client to come get on the data channel.
0
 
aagboAuthor Commented:
We were able to get assistance from Cisco on this issue.  One of the problems was the ordering of our access-list was out of wack.  Because the IOS processes line-by-line, some of the configs were getting cancelled by lines later on in the code.

The final result is what is included.  I'm splitting points as you both provided good troubleshooting and insite.
access-list outside-to-inside extended permit tcp any host x.x.x.x(extIP)
access-list outside-to-inside extended permit tcp any host x.x.x.x(extIP) eq 50000
access-list outside-to-inside extended permit icmp any any
access-list outside-to-inside extended permit tcp any any eq https
access-list outside-to-inside extended permit tcp any any eq www
access-list outside-to-inside extended permit tcp any host x.x.x.x(extIP) eq smtp
access-list outside-to-inside extended permit udp any any

static (inside,Outside) tcp interface www x.x.x.x(intIP) www netmask 255.255.255.255
static (inside,Outside) tcp interface ftp x.x.x.x(intIP) ftp netmask 255.255.255.255
static (inside,Outside) tcp interface ftp-data x.x.x.x(intIP) ftp-data netmask 255.255.255.255
static (inside,Outside) tcp x.x.x.x(extIP) 50000 x.x.x.x(intIP) 50000 netmask 255.255.255.255
static (inside,Outside) x.x.x.x(extIP) x.x.x.x(intIP) netmask 255.255.255.255
access-group outside-to-inside in interface Outside

Open in new window

0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 8
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now