[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 115
  • Last Modified:

ASA 5515-X: Users cannot access FTP servers outside our network

I've got a bit of a strange issue in one of our client networks.  We recently set up a brand new network for them using a new ASA 5515-X as the main firewall.  Things work great (these new devices are very powerful!) but despite my best efforts client computers are unable to access FTP servers outside of our network.

One additional complication is that we have an FTP server inside our network that is externally accessible, so port 21 is NAT'd for that system.  However I disabled that rule as a test and nothing changed.

Attached is a sanitized config for our firewall
Sanitized-Config.txt
0
ravib123
Asked:
ravib123
1 Solution
 
omarfaridCommented:
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports
0
 
Dave BaldwinFixer of ProblemsCommented:
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ravib123Author Commented:
You need add the following lines to your configuration:

policy-map global_policy
 class inspection_default
  inspect ftp

Already tried that - check the configuration posted.  No effect.
0
 
ravib123Author Commented:
FTP works on two TCP ports 20 & 21

make sure firewall allows these ports

Yes it does.  The firewall is configured to allow both of these ports from anything to anything.
0
 
ravib123Author Commented:
This question gets asked fairly often.  FTP requires ports 20, 21, and a range of ephemeral ports above port 1024.  That makes it a pain to set up in a firewall.  There are probably specialized config instructions somewhere to tell you how to do that in the ASA 5515-X.

This is true for Passive FTP connections - however that would suggest that I can only have a single client PC on the entire network functional, and I simply cannot forward these ports to a single client PC when I already have them forwarded to our FTP server for salespeople and customers to access.
0
 
Dave BaldwinFixer of ProblemsCommented:
No, that is true for both active and passive connections.  The only difference is whether the client or the server chooses the 'ephemeral' ports.
1

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now