Solved

Cisco ASA firewall cannot get ftp working

Posted on 2012-03-21
2
425 Views
Last Modified: 2012-03-22
Hey there,

I'm trying to configure ftp through this firewall for my users on this ASA 5510 box.  the domain name is xfer.domainname.com and resolves to 64.190.171.133 through dns.  my inside ftp server is 10.31.153.36.  ftp works internally but not through the firewall.  I've posted the config below and am using the ASDM.  Please help!


Cryptochecksum: c96a906c 792c7e34 1317e1fc 2844bac8
: Saved
: Written by xxxx at 13:19:39.806 EST Thu Jan 23 2003
!
ASA Version 8.4(1)
!
hostname RMFW01
domain-name xxxx.com
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0
 description Connection to Internet
 nameif outside
 security-level 0
 ip address 64.190.171.131 255.255.255.224
!
interface Ethernet0/1
 description LAN Network
 nameif inside
 security-level 100
 ip address 192.168.242.1 255.255.255.0
!
interface Ethernet0/2
 description DMZ Network
 nameif dmz
 security-level 90
 ip address 10.31.153.17 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif MAN
 security-level 100
 ip address 192.168.42.1 255.255.255.0
!
banner exec Authorized Access Only
banner login Authorized Access Only
banner motd Authorized Access Only
banner asdm Authorized Access Only
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name response
object network inside
 subnet 192.168.242.0 255.255.255.0
object network dmz
 subnet 10.31.153.0 255.255.255.0
object network DVR_Public
 host 64.190.171.134
object network DVR_Private
 host 192.168.242.250
object network Web5_Public
 host 64.190.171.138
object network Web5_Private
 host 10.31.153.22
object network Web4_Public
 host 64.190.171.137
object network Web4_Private
 host 10.31.153.21
object network Web3_Public
 host 64.190.171.136
object network Web3_Private
 host 10.31.153.20
object network Web2_Public
 host 64.190.171.135
object network Web_Private2
 host 10.31.153.19
object network Web2_Private
 host 10.31.153.19
object network Web1_Public
 host 64.190.171.134
object network Web1_Private
 host 10.31.153.18
object network WSFTP_Public
 host 64.190.171.133
object network WSFTP_Private
 host 10.31.153.26
object network IPSEC_VPN_192.168.240.0_24
 subnet 192.168.240.0 255.255.255.0
 description VPN DHCP Pool
object network Cheryl_Out
 host 64.190.171.139
object network Cheryl_Inside
 host 192.168.242.172
object network NETWORK_OBJ_192.168.5.0_24
 subnet 192.168.5.0 255.255.255.0
object-group service WSFTP tcp
 port-object range 1024 65535
object-group network DM_INLINE_NETWORK_1
 network-object 10.31.153.0 255.255.255.0
 network-object 192.168.242.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended permit icmp any object DVR_Private
access-list outside_access_in extended permit tcp any object DVR_Private eq 7000
access-list outside_access_in extended permit tcp any object Web5_Private eq www
access-list outside_access_in extended permit tcp any object Web5_Private eq https
access-list outside_access_in extended permit tcp any object Web4_Private eq www
access-list outside_access_in extended permit tcp any object Web4_Private eq https
access-list outside_access_in extended permit tcp any object Web3_Private eq www
access-list outside_access_in extended permit tcp any object Web3_Private eq https
access-list outside_access_in extended permit tcp any object Web2_Private eq www
access-list outside_access_in extended permit tcp any object Web2_Private eq https
access-list outside_access_in extended permit tcp any object Web1_Private eq www
access-list outside_access_in extended permit tcp any object Web1_Private eq https
access-list outside_access_in extended permit tcp any object WSFTP_Private eq ftp
access-list outside_access_in extended permit 90 any object WSFTP_Private
access-list outside_access_in extended permit tcp any object WSFTP_Private object-group WSFTP
access-list outside_access_in extended permit tcp any object WSFTP_Private eq ftp-data
access-list outside_access_in extended permit tcp any object WSFTP_Private eq www
access-list outside_access_in extended permit tcp any object WSFTP_Private eq https
access-list outside_access_in extended permit tcp any object Cheryl_Inside eq 3389
access-list outside_access_in remark VPN Access
access-list outside_access_in extended permit tcp object IPSEC_VPN_192.168.240.0_24 object inside eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list outside_access_in extended permit tcp any object WSFTP_Public eq ssh
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended deny ip any any
access-list rmvpn_splittunnel standard permit 192.168.242.0 255.255.255.0
access-list REMOTE_ACCESS_USERS_splitTunnelAcl standard permit 10.31.153.0 255.255.255.0
access-list REMOTE_ACCESS_USERS_splitTunnelAcl standard permit 192.168.242.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu MAN 1500
ip local pool Remote_VPN_Pool 192.168.5.50-192.168.5.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside interface
nat (dmz,outside) source dynamic dmz interface
nat (inside,outside) source static DVR_Private DVR_Public
nat (dmz,outside) source static Web5_Private Web5_Public
nat (dmz,outside) source static Web4_Private Web4_Public
nat (dmz,outside) source static Web3_Private Web3_Public
nat (dmz,outside) source static Web2_Private Web2_Public
nat (dmz,outside) source static Web1_Private Web1_Public
nat (dmz,outside) source static WSFTP_Private WSFTP_Public
nat (MAN,outside) source static any any destination static IPSEC_VPN_192.168.240.0_24 IPSEC_VPN_192.168.240.0_24 inactive
nat (inside,outside) source static Cheryl_Inside Cheryl_Out
nat (inside,outside) source static inside inside destination static IPSEC_VPN_192.168.240.0_24 IPSEC_VPN_192.168.240.0_24
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 64.190.171.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RM_VPN protocol nt
aaa-server RM_VPN (inside) host 192.168.242.201
 nt-auth-domain-controller 192.168.242.201
aaa-server RM_USERS protocol nt
aaa-server RM_USERS (inside) host 192.168.242.201
 timeout 5
 nt-auth-domain-controller RMP-DB2
http server enable
http 0.0.0.0 0.0.0.0 MAN
http 0.0.0.0 0.0.0.0 outside
http 192.168.242.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy REMOTE_ACCESS_USERS internal
group-policy REMOTE_ACCESS_USERS attributes
 dns-server value 192.168.242.201
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value REMOTE_ACCESS_USERS_splitTunnelAcl
 default-domain value responsemedia.com
username xxxxencrypted privilege 15
username xxxxencrypted privilege 15
tunnel-group REMOTE_ACCESS_USERS type remote-access
tunnel-group REMOTE_ACCESS_USERS general-attributes
 address-pool Remote_VPN_Pool
 authentication-server-group RM_USERS
 default-group-policy REMOTE_ACCESS_USERS
tunnel-group REMOTE_ACCESS_USERS ipsec-attributes
 ikev1 pre-shared-key R3mot3Acc3ssRm
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c96a906c792c7e341317e1fc2844bac8
: end

thanks!
0
Comment
Question by:metalfubar
2 Comments
 
LVL 5

Accepted Solution

by:
andrew1812 earned 500 total points
ID: 37748170
Can you print the output when you type

ftp xfer.domainname.com on the command prompt

Also when does the connection fail ( After providing the username and password or the username/password options itself does not pop up on your screen when you attempt connection )
0
 

Author Comment

by:metalfubar
ID: 37748511
Andrew,

Thanks for responding to my request.  

so xfer.domainname.com resolves to 64.190.171.133 correctly at a cmd prompt.  if you tracert the ip it works dns wise but you can see that it gets dropped at the firewall.  so no login at hte ftp and nothing in the firewall logs.  Again from inside it works, i can ssh to it.  I'm thinking it's likely a NAT or ACL issue?  Much appreciated on the help here.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now