Solved

ASA 5515-X: Users cannot access FTP servers outside our network

Posted on 2014-03-14
7
73 Views
Last Modified: 2015-10-09
I've got a bit of a strange issue in one of our client networks.  We recently set up a brand new network for them using a new ASA 5515-X as the main firewall.  Things work great (these new devices are very powerful!) but despite my best efforts client computers are unable to access FTP servers outside of our network.

One additional complication is that we have an FTP server inside our network that is externally accessible, so port 21 is NAT'd for that system.  However I disabled that rule as a test and nothing changed.

Attached is a sanitized config for our firewall
Sanitized-Config.txt
0
Comment
Question by:ravib123
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 39930130
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39930136
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39930314
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:ravib123
ID: 39943898
You need add the following lines to your configuration:

policy-map global_policy
 class inspection_default
  inspect ftp

Already tried that - check the configuration posted.  No effect.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943908
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports

Yes it does.  The firewall is configured to allow both of these ports from anything to anything.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943919
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.

This is true for Passive FTP connections - however that would suggest that I can only have a single client PC on the entire network functional, and I simply cannot forward these ports to a single client PC when I already have them forwarded to our FTP server for salespeople and customers to access.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39943953
No, that is true for both active and passive connections.  The only difference is whether the client or the server chooses the 'ephemeral' ports.
1

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP for a guest wireless network 1 36
P2P and MPLS 3 41
By pass website on ASA for Websense 4 49
Looking for open port with Telnet 5 12
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now