Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA 5515-X: Users cannot access FTP servers outside our network

Posted on 2014-03-14
7
Medium Priority
?
105 Views
Last Modified: 2015-10-09
I've got a bit of a strange issue in one of our client networks.  We recently set up a brand new network for them using a new ASA 5515-X as the main firewall.  Things work great (these new devices are very powerful!) but despite my best efforts client computers are unable to access FTP servers outside of our network.

One additional complication is that we have an FTP server inside our network that is externally accessible, so port 21 is NAT'd for that system.  However I disabled that rule as a test and nothing changed.

Attached is a sanitized config for our firewall
Sanitized-Config.txt
0
Comment
Question by:ravib123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 39930130
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39930136
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39930314
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 1

Author Comment

by:ravib123
ID: 39943898
You need add the following lines to your configuration:

policy-map global_policy
 class inspection_default
  inspect ftp

Already tried that - check the configuration posted.  No effect.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943908
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports

Yes it does.  The firewall is configured to allow both of these ports from anything to anything.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943919
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.

This is true for Passive FTP connections - however that would suggest that I can only have a single client PC on the entire network functional, and I simply cannot forward these ports to a single client PC when I already have them forwarded to our FTP server for salespeople and customers to access.
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1500 total points
ID: 39943953
No, that is true for both active and passive connections.  The only difference is whether the client or the server chooses the 'ephemeral' ports.
1

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question