Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA 5515-X: Users cannot access FTP servers outside our network

Posted on 2014-03-14
7
88 Views
Last Modified: 2015-10-09
I've got a bit of a strange issue in one of our client networks.  We recently set up a brand new network for them using a new ASA 5515-X as the main firewall.  Things work great (these new devices are very powerful!) but despite my best efforts client computers are unable to access FTP servers outside of our network.

One additional complication is that we have an FTP server inside our network that is externally accessible, so port 21 is NAT'd for that system.  However I disabled that rule as a test and nothing changed.

Attached is a sanitized config for our firewall
Sanitized-Config.txt
0
Comment
Question by:ravib123
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 39930130
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39930136
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39930314
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:ravib123
ID: 39943898
You need add the following lines to your configuration:

policy-map global_policy
 class inspection_default
  inspect ftp

Already tried that - check the configuration posted.  No effect.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943908
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports

Yes it does.  The firewall is configured to allow both of these ports from anything to anything.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943919
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.

This is true for Passive FTP connections - however that would suggest that I can only have a single client PC on the entire network functional, and I simply cannot forward these ports to a single client PC when I already have them forwarded to our FTP server for salespeople and customers to access.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39943953
No, that is true for both active and passive connections.  The only difference is whether the client or the server chooses the 'ephemeral' ports.
1

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question