Solved

ASA 5515-X: Users cannot access FTP servers outside our network

Posted on 2014-03-14
7
96 Views
Last Modified: 2015-10-09
I've got a bit of a strange issue in one of our client networks.  We recently set up a brand new network for them using a new ASA 5515-X as the main firewall.  Things work great (these new devices are very powerful!) but despite my best efforts client computers are unable to access FTP servers outside of our network.

One additional complication is that we have an FTP server inside our network that is externally accessible, so port 21 is NAT'd for that system.  However I disabled that rule as a test and nothing changed.

Attached is a sanitized config for our firewall
Sanitized-Config.txt
0
Comment
Question by:ravib123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 39930130
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39930136
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39930314
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 1

Author Comment

by:ravib123
ID: 39943898
You need add the following lines to your configuration:

policy-map global_policy
 class inspection_default
  inspect ftp

Already tried that - check the configuration posted.  No effect.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943908
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports

Yes it does.  The firewall is configured to allow both of these ports from anything to anything.
0
 
LVL 1

Author Comment

by:ravib123
ID: 39943919
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.

This is true for Passive FTP connections - however that would suggest that I can only have a single client PC on the entire network functional, and I simply cannot forward these ports to a single client PC when I already have them forwarded to our FTP server for salespeople and customers to access.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39943953
No, that is true for both active and passive connections.  The only difference is whether the client or the server chooses the 'ephemeral' ports.
1

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question