Solved

External FTP access through Cisco ASA 5505

Posted on 2013-01-18
12
2,295 Views
Last Modified: 2013-01-30
I have a network that is completely virtualized using Hyper V. I have  virtual machine that I setup FTP services on. Everything is behind a Cisco ASA 5505. Internally the FTP site works as intended. I put the IP into IE and am able to logon and get a directory listing. Externally however is another story. When I enter ftp://external IP into my browser I am prompted to logon but no matter what I get the following error:

"An error has occurred opening that folder on the ftp server. Make sure you have permission to access that folder"

200 Type set to A.
227 Entering Passive Mode.

I am assuming I have something missing on the ASA.

Any ideas?
0
Comment
Question by:TJacoberger1
  • 8
  • 3
12 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 38794837
please post a sanitized config.

but if i had to guess, make sure that you have inspect ftp in your global policy.


config t
Policy-map global_policy
    class inspection_default
       inspect ftp
0
 

Author Comment

by:TJacoberger1
ID: 38794905
That command gives me an error.

Here is my config:

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
ss-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq ftp log
access-list outside_access_in extended permit tcp any interface outside eq ftp-data log
access-list outside_access_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.119 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.119 ftp-data netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 10
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:8afd119a52fb72c82bd22acbf3aa6b1e
: end
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38799586
what output do you see from "sh run all policy-map" ?
0
 

Author Comment

by:TJacoberger1
ID: 38809834
sh run all policy-map
!
policy-map type inspect rtsp _default_rtsp_map
 description Default RTSP policymap
 parameters
policy-map type inspect h323 _default_h323_map
 description Default H.323 policymap
 parameters
  no rtp-conformance
policy-map type inspect sip _default_sip_map
 description Default SIP policymap
 parameters
  im
  no ip-address-privacy
  traffic-non-sip
  no rtp-conformance
policy-map type inspect dns _default_dns_map
 description Default DNS policy-map
 parameters
  no message-length maximum
  no message-length maximum server
  no message-length maximum client
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
 description Default IPSEC-PASS-THRU policy-map
 parameters
  esp per-client-max 0 timeout 0:10:00
policy-map type inspect esmtp _default_esmtp_map
 description Default ESMTP policy-map
 parameters
  mask-banner
  no mail-relay
  no special-character
  no allow-tls
 match cmd line length gt 512
  drop-connection log
 match cmd RCPT count gt 100
  drop-connection log
 match body line length gt 998
  log
 match header line length gt 998
  drop-connection log
 match sender-address length gt 320
  drop-connection log
 match MIME filename length gt 255
  drop-connection log
 match ehlo-reply-parameter others
  mask
!
0
 

Author Comment

by:TJacoberger1
ID: 38809912
I added the following:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp


Still same issue.
0
 

Author Comment

by:TJacoberger1
ID: 38809927
I get this error with FileZilla:

ommand:      SYST
Response:      215 Windows_NT
Command:      FEAT
Response:      211-FEAT
Response:          SIZE
Response:          MDTM
Response:      211 END
Status:      Server does not support non-ASCII characters.
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I.
Command:      PORT 10,10,200,107,196,124
Response:      500 Invalid PORT Command.
Command:      PASV
Response:      227 Entering Passive Mode (172,17,1,119,15,62).
Status:      Server sent passive reply with unroutable address. Using server address instead.
Command:      LIST
Error:      Directory listing aborted by user
Status:      Disconnected from server
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 8

Expert Comment

by:pgolding00
ID: 38812530
two things now:
- make sure you have buffered debug enabled, execute "show log" and you should see some indications of activity if logging is enabled. if not, look at the "logging" command to get that going. then, test the failing ftp, then "show log" and lets see what thats telling us.
- "sh access-l outside_access_in" before and after a test. you should see increments in the hit count for the entries permitting ftp. this will verify traffic is going where we think it is and that the asa is really the cause.

not sure that you have revealed which asa version you have as yet. what you have might support the command "show asp drop". if so, can we have a look at that also.

one other sanity check - you have not revealed your interface addressing on the asa. is the ftp server in the same subnet as the inside interface and do the asa and ftp server have the same subnet mask configured? above assumes this is all ok.
0
 

Author Comment

by:TJacoberger1
ID: 38832877
Before:

LB(config)# sh access-l outside_access_in
access-list outside_access_in; 18 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any interface outside eq 5909 log informational interval 300 (hitcnt=24) 0x3d572a03
access-list outside_access_in line 2 extended permit icmp any any (hitcnt=105959) 0x71af81e1
access-list outside_access_in line 3 extended permit tcp any interface outside eq smtp log informational interval 300 (hitcnt=62887) 0x5a49ed8a
access-list outside_access_in line 4 extended permit tcp any interface outside eq https log informational interval 300 (hitcnt=613991) 0xb78265a9
access-list outside_access_in line 5 extended permit tcp any interface outside eq www log informational interval 300 (hitcnt=719) 0xf8a43354
access-list outside_access_in line 6 extended permit tcp any interface outside eq 587 log informational interval 300 (hitcnt=2) 0x1e27a6a6
access-list outside_access_in line 7 extended permit tcp any interface outside eq 4050 log informational interval 300 (hitcnt=3) 0xa33af62c
access-list outside_access_in line 8 extended permit tcp any interface outside eq 4051 log informational interval 300 (hitcnt=0) 0xaf79715c
access-list outside_access_in line 9 extended permit tcp any interface outside eq 4052 log informational interval 300 (hitcnt=0) 0xfa44696b
access-list outside_access_in line 10 extended permit tcp any interface outsideeq 4000 log informational interval 300 (hitcnt=4) 0x716734b0
access-list outside_access_in line 11 extended permit tcp any interface outsideeq 4199 log informational interval 300 (hitcnt=80) 0xdc80b552
access-list outside_access_in line 12 extended permit tcp any interface outsideeq 4144 log informational interval 300 (hitcnt=0) 0x62c48d21
access-list outside_access_in line 13 extended permit tcp any interface outsideeq 4155 log informational interval 300 (hitcnt=0) 0x6f5fe1de
access-list outside_access_in line 14 extended permit tcp any interface outsideeq 4156 log informational interval 300 (hitcnt=0) 0xeee7ec32
access-list outside_access_in line 15 extended permit tcp any interface outsideeq ftp log informational interval 300 (hitcnt=2516) 0xe4fa0d23
access-list outside_access_in line 16 extended permit tcp any interface outsideeq 4157 log informational interval 300 (hitcnt=140) 0x4a967885
access-list outside_access_in line 17 extended permit tcp any interface outsideeq 4006 log informational interval 300 (hitcnt=1) 0x212aa96e
access-list outside_access_in line 18 extended permit tcp any interface outsideeq ftp-data log informational interval 300 (hitcnt=0) 0xa0fc3013
LB(config)#



After:

LB# sh access-l outside_access_in
access-list outside_access_in; 18 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any interface outside eq 5909 log informational interval 300 (hitcnt=24) 0x3d572a03
access-list outside_access_in line 2 extended permit icmp any any (hitcnt=105975) 0x71af81e1
access-list outside_access_in line 3 extended permit tcp any interface outside eq smtp log informational interval 300 (hitcnt=62896) 0x5a49ed8a
access-list outside_access_in line 4 extended permit tcp any interface outside eq https log informational interval 300 (hitcnt=614037) 0xb78265a9
access-list outside_access_in line 5 extended permit tcp any interface outside eq www log informational interval 300 (hitcnt=719) 0xf8a43354
access-list outside_access_in line 6 extended permit tcp any interface outside eq 587 log informational interval 300 (hitcnt=2) 0x1e27a6a6
access-list outside_access_in line 7 extended permit tcp any interface outside eq 4050 log informational interval 300 (hitcnt=3) 0xa33af62c
access-list outside_access_in line 8 extended permit tcp any interface outside eq 4051 log informational interval 300 (hitcnt=0) 0xaf79715c
access-list outside_access_in line 9 extended permit tcp any interface outside eq 4052 log informational interval 300 (hitcnt=0) 0xfa44696b
access-list outside_access_in line 10 extended permit tcp any interface outsideeq 4000 log informational interval 300 (hitcnt=4) 0x716734b0
access-list outside_access_in line 11 extended permit tcp any interface outsideeq 4199 log informational interval 300 (hitcnt=80) 0xdc80b552
access-list outside_access_in line 12 extended permit tcp any interface outsideeq 4144 log informational interval 300 (hitcnt=0) 0x62c48d21
access-list outside_access_in line 13 extended permit tcp any interface outsideeq 4155 log informational interval 300 (hitcnt=0) 0x6f5fe1de
access-list outside_access_in line 14 extended permit tcp any interface outsideeq 4156 log informational interval 300 (hitcnt=0) 0xeee7ec32
access-list outside_access_in line 15 extended permit tcp any interface outsideeq ftp log informational interval 300 (hitcnt=2519) 0xe4fa0d23
access-list outside_access_in line 16 extended permit tcp any interface outsideeq 4157 log informational interval 300 (hitcnt=140) 0x4a967885
access-list outside_access_in line 17 extended permit tcp any interface outsideeq 4006 log informational interval 300 (hitcnt=1) 0x212aa96e
access-list outside_access_in line 18 extended permit tcp any interface outsideeq ftp-data log informational interval 300 (hitcnt=0) 0xa0fc3013
LB#


I am using an ASA 5505 all the same LAN.
0
 

Author Comment

by:TJacoberger1
ID: 38832981
Looks like no change between before and after.
0
 
LVL 8

Accepted Solution

by:
pgolding00 earned 500 total points
ID: 38833628
line 15 in the acl is for ftp control and line 18 for data flow. comparing before and after indicates traffic is going where it should as there are 3 more matches in the "after" output.

just noticed a few things in your filezilla output:

Command:      FEAT
Response:      211-FEAT
Response:          SIZE
Response:          MDTM
Response:      211 END
therefore there is two-way communication in the control channel.

Command:      PWD
Response:      257 "/" is current directory.
also indicates no problem with port 21.

then we see these two:
Command:      PORT 10,10,200,107,196,124
Response:      500 Invalid PORT Command.
Command:      PASV
Response:      227 Entering Passive Mode (172,17,1,119,15,62).
Status:      Server sent passive reply with unroutable address. Using server address instead.

so the client sends port, the server rejects it - no drama. the client sends pasv (ie what address do i talk to you on?) and the client sees a response from the server with a private ip address, which the client correctly says is of no use.

it looks like you are missing ftp fixup, which would normally translate that pasv response address from 172.17.1.119 (which should be the real address of the ftp server) to the firewall outside interface address. check the example config in the ftp section of link below and verify you have similar, or add it in if its not there. you can either add ftp inspect to the global policy or make an interface specific policy for ftp. this is from version 8.3 but the syntax should be about the same.

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i2.html#wp1764962
0
 

Author Comment

by:TJacoberger1
ID: 38836940
Ok, so this worked:

However, it took internet down lol. Im guessing I blocked all traffic expect for FTP on the inside interface.

What do I have to change?


class-map ftp-traffic
 match any
class-map match-all
 match port tcp eq ftp
!
!
policy-map type inspect ftp mymap
 parameters
  mask-banner
policy-map ftp-policy
 class ftp-traffic
  inspect ftp strict mymap
!
service-policy ftp-policy interface inside
0
 

Author Comment

by:TJacoberger1
ID: 38837137
I got it. Thanks for all your help.


Allow FTP Traffic:

!
class-map ftp-traffic
 match port tcp eq ftp
!
!
policy-map type inspect ftp mymap
 parameters
  mask-banner
policy-map ftp-policy
 class ftp-traffic
  inspect ftp strict mymap
!
service-policy ftp-policy interface inside
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now