External FTP access through Cisco ASA 5505

please post a sanitized config.

but if i had to guess, make sure that you have inspect ftp in your global policy.


config t
Policy-map global_policy
    class inspection_default
       inspect ftp

That command gives me an error.

Here is my config:

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
ss-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq ftp log
access-list outside_access_in extended permit tcp any interface outside eq ftp-data log
access-list outside_access_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.119 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.119 ftp-data netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 10
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:8afd119a52fb72c82bd22acbf3aa6b1e
: end

what output do you see from "sh run all policy-map" ?

sh run all policy-map
!
policy-map type inspect rtsp _default_rtsp_map
 description Default RTSP policymap
 parameters
policy-map type inspect h323 _default_h323_map
 description Default H.323 policymap
 parameters
  no rtp-conformance
policy-map type inspect sip _default_sip_map
 description Default SIP policymap
 parameters
  im
  no ip-address-privacy
  traffic-non-sip
  no rtp-conformance
policy-map type inspect dns _default_dns_map
 description Default DNS policy-map
 parameters
  no message-length maximum
  no message-length maximum server
  no message-length maximum client
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
 description Default IPSEC-PASS-THRU policy-map
 parameters
  esp per-client-max 0 timeout 0:10:00
policy-map type inspect esmtp _default_esmtp_map
 description Default ESMTP policy-map
 parameters
  mask-banner
  no mail-relay
  no special-character
  no allow-tls
 match cmd line length gt 512
  drop-connection log
 match cmd RCPT count gt 100
  drop-connection log
 match body line length gt 998
  log
 match header line length gt 998
  drop-connection log
 match sender-address length gt 320
  drop-connection log
 match MIME filename length gt 255
  drop-connection log
 match ehlo-reply-parameter others
  mask
!

I added the following:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp


Still same issue.

I get this error with FileZilla:

ommand:      SYST
Response:      215 Windows_NT
Command:      FEAT
Response:      211-FEAT
Response:          SIZE
Response:          MDTM
Response:      211 END
Status:      Server does not support non-ASCII characters.
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I.
Command:      PORT 10,10,200,107,196,124
Response:      500 Invalid PORT Command.
Command:      PASV
Response:      227 Entering Passive Mode (172,17,1,119,15,62).
Status:      Server sent passive reply with unroutable address. Using server address instead.
Command:      LIST
Error:      Directory listing aborted by user
Status:      Disconnected from server

two things now:
- make sure you have buffered debug enabled, execute "show log" and you should see some indications of activity if logging is enabled. if not, look at the "logging" command to get that going. then, test the failing ftp, then "show log" and lets see what thats telling us.
- "sh access-l outside_access_in" before and after a test. you should see increments in the hit count for the entries permitting ftp. this will verify traffic is going where we think it is and that the asa is really the cause.

not sure that you have revealed which asa version you have as yet. what you have might support the command "show asp drop". if so, can we have a look at that also.

one other sanity check - you have not revealed your interface addressing on the asa. is the ftp server in the same subnet as the inside interface and do the asa and ftp server have the same subnet mask configured? above assumes this is all ok.

Before:

LB(config)# sh access-l outside_access_in
access-list outside_access_in; 18 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any interface outside eq 5909 log informational interval 300 (hitcnt=24) 0x3d572a03
access-list outside_access_in line 2 extended permit icmp any any (hitcnt=105959) 0x71af81e1
access-list outside_access_in line 3 extended permit tcp any interface outside eq smtp log informational interval 300 (hitcnt=62887) 0x5a49ed8a
access-list outside_access_in line 4 extended permit tcp any interface outside eq https log informational interval 300 (hitcnt=613991) 0xb78265a9
access-list outside_access_in line 5 extended permit tcp any interface outside eq www log informational interval 300 (hitcnt=719) 0xf8a43354
access-list outside_access_in line 6 extended permit tcp any interface outside eq 587 log informational interval 300 (hitcnt=2) 0x1e27a6a6
access-list outside_access_in line 7 extended permit tcp any interface outside eq 4050 log informational interval 300 (hitcnt=3) 0xa33af62c
access-list outside_access_in line 8 extended permit tcp any interface outside eq 4051 log informational interval 300 (hitcnt=0) 0xaf79715c
access-list outside_access_in line 9 extended permit tcp any interface outside eq 4052 log informational interval 300 (hitcnt=0) 0xfa44696b
access-list outside_access_in line 10 extended permit tcp any interface outsideeq 4000 log informational interval 300 (hitcnt=4) 0x716734b0
access-list outside_access_in line 11 extended permit tcp any interface outsideeq 4199 log informational interval 300 (hitcnt=80) 0xdc80b552
access-list outside_access_in line 12 extended permit tcp any interface outsideeq 4144 log informational interval 300 (hitcnt=0) 0x62c48d21
access-list outside_access_in line 13 extended permit tcp any interface outsideeq 4155 log informational interval 300 (hitcnt=0) 0x6f5fe1de
access-list outside_access_in line 14 extended permit tcp any interface outsideeq 4156 log informational interval 300 (hitcnt=0) 0xeee7ec32
access-list outside_access_in line 15 extended permit tcp any interface outsideeq ftp log informational interval 300 (hitcnt=2516) 0xe4fa0d23
access-list outside_access_in line 16 extended permit tcp any interface outsideeq 4157 log informational interval 300 (hitcnt=140) 0x4a967885
access-list outside_access_in line 17 extended permit tcp any interface outsideeq 4006 log informational interval 300 (hitcnt=1) 0x212aa96e
access-list outside_access_in line 18 extended permit tcp any interface outsideeq ftp-data log informational interval 300 (hitcnt=0) 0xa0fc3013
LB(config)#



After:

LB# sh access-l outside_access_in
access-list outside_access_in; 18 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any interface outside eq 5909 log informational interval 300 (hitcnt=24) 0x3d572a03
access-list outside_access_in line 2 extended permit icmp any any (hitcnt=105975) 0x71af81e1
access-list outside_access_in line 3 extended permit tcp any interface outside eq smtp log informational interval 300 (hitcnt=62896) 0x5a49ed8a
access-list outside_access_in line 4 extended permit tcp any interface outside eq https log informational interval 300 (hitcnt=614037) 0xb78265a9
access-list outside_access_in line 5 extended permit tcp any interface outside eq www log informational interval 300 (hitcnt=719) 0xf8a43354
access-list outside_access_in line 6 extended permit tcp any interface outside eq 587 log informational interval 300 (hitcnt=2) 0x1e27a6a6
access-list outside_access_in line 7 extended permit tcp any interface outside eq 4050 log informational interval 300 (hitcnt=3) 0xa33af62c
access-list outside_access_in line 8 extended permit tcp any interface outside eq 4051 log informational interval 300 (hitcnt=0) 0xaf79715c
access-list outside_access_in line 9 extended permit tcp any interface outside eq 4052 log informational interval 300 (hitcnt=0) 0xfa44696b
access-list outside_access_in line 10 extended permit tcp any interface outsideeq 4000 log informational interval 300 (hitcnt=4) 0x716734b0
access-list outside_access_in line 11 extended permit tcp any interface outsideeq 4199 log informational interval 300 (hitcnt=80) 0xdc80b552
access-list outside_access_in line 12 extended permit tcp any interface outsideeq 4144 log informational interval 300 (hitcnt=0) 0x62c48d21
access-list outside_access_in line 13 extended permit tcp any interface outsideeq 4155 log informational interval 300 (hitcnt=0) 0x6f5fe1de
access-list outside_access_in line 14 extended permit tcp any interface outsideeq 4156 log informational interval 300 (hitcnt=0) 0xeee7ec32
access-list outside_access_in line 15 extended permit tcp any interface outsideeq ftp log informational interval 300 (hitcnt=2519) 0xe4fa0d23
access-list outside_access_in line 16 extended permit tcp any interface outsideeq 4157 log informational interval 300 (hitcnt=140) 0x4a967885
access-list outside_access_in line 17 extended permit tcp any interface outsideeq 4006 log informational interval 300 (hitcnt=1) 0x212aa96e
access-list outside_access_in line 18 extended permit tcp any interface outsideeq ftp-data log informational interval 300 (hitcnt=0) 0xa0fc3013
LB#


I am using an ASA 5505 all the same LAN.

Looks like no change between before and after.

Ok, so this worked:

However, it took internet down lol. Im guessing I blocked all traffic expect for FTP on the inside interface.

What do I have to change?


class-map ftp-traffic
 match any
class-map match-all
 match port tcp eq ftp
!
!
policy-map type inspect ftp mymap
 parameters
  mask-banner
policy-map ftp-policy
 class ftp-traffic
  inspect ftp strict mymap
!
service-policy ftp-policy interface inside

I got it. Thanks for all your help.


Allow FTP Traffic:

!
class-map ftp-traffic
 match port tcp eq ftp
!
!
policy-map type inspect ftp mymap
 parameters
  mask-banner
policy-map ftp-policy
 class ftp-traffic
  inspect ftp strict mymap
!
service-policy ftp-policy interface inside