FTP Server is no longer accessible externally

Last week, our Internet went down.  We pulled the plug on the ASA to cycle power on it and the Internet came back up.  However, the next day, some of our employees working offsite said they could not connect to the FTP server.  We can connect internally. The FTP server plugs into the DMZ.  We have since restarted that.  We have also restarted the server a few times.  Here are some of the things i have checked:
config of the ASA
config and port of the DMZ
our A records with our domain provider
our rDNS
the config of the IIS
the FTP publishing and IIS services
the event log
the DNS entries to our ISP
the firewall on the server
our AD and DNS
These checked out okay.  I'm not sure what else to do at this point.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you post the config of your ASA?  Of course mask any private information.

Have you done a packet capture from the ASA to see if traffic going to your FTP server is hitting it from the outside?

Are there any other services that you host?  Are they accessible from the Internet?
tmaususerAuthor Commented:
All the other services are working.
I'm not permitted to post the config.  It doesn't appear to have changed when comparing it to the backup.
Not sure how to do a packet capture.  Can I put Wireshark on the FTP server to do this?  
Your saying to look at traffic going from the ASA to the FTP server?
tmaususerAuthor Commented:
Your saying to look at traffic going from the ASA to the FTP server and see if there are any signs of external traffic?
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

You need to look at the traffic coming into the ASA and traffic leaving the ASA.

Since you can't post the ASA configuration, I would suggest you carefully look at the configuration to make sure:

1) NAT is correct.
2) You have the correct policy to allow port inbound traffic for the public IP address and port 21 to be forwarded to your FTP server.
3) That there is not a more generic policy that blocks traffic to the FTP servers IP address or to port 21 that is further up, "before", the policy that allows FTP traffic in.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tmaususerAuthor Commented:
I don't think the config changed, it compares okay with the backup.  I don't know enough to know if the policies are correct.  I don't know the commands to track traffic in the ASA, but I can try looking it up

Aside from the normal initial troubleshooting steps, is there any common known issues that can cause this after power is lost to an ASA?
I would double check the configuration.  If a change was made to the ASA to get FTP working and nobody ever did a "write mem" to copy the running configuration to the startup configuration then when you power cycled the ASA a old configuration may have been loaded.

Depending on how you did your backup, the backup could match the currently running configuration, but it may not be what the ASA was running before it went down.

I would say that 99% of the time if something was working and then a device was restarted/rebooted and that something was no longer working it is because a change was made and never saved.
tmaususerAuthor Commented:
Sounds logical.  Thanks!  Our network assistance provider is going to remote in later and try to help.  I will let you know what happens.
tmaususerAuthor Commented:
It turns out the ISP had the wrong MAC address entered for FTP address.
tmaususerAuthor Commented:
The config turned out to be okay.  Our ISP had the wrong MAC address entered on their side for our FTP services.
tmaususerAuthor Commented:
Our Cisco provider was able to see that the traffic was not even reaching the firewall so we contacted our ISP and they had the wrong MAC entered on their side.  Thank you for suggesting that we should monitor the traffic!
tmaususerAuthor Commented:
As giltjr suggested, the key was seeing that traffic was not reaching the firewall.  Turned out our ISP had the wrong MAC address for our firewall for the FTP address.
Thanks for the points.  But the solution confuses me.  Your ISP should not have a static MAC coded for anything within your network.   I am assuming they had this defined as a static ARP entry, which they should not be doing.
tmaususerAuthor Commented:
Our ISP said they require the MAC for our ASA.  They had the correct MAC for our ASA associated with all of our assigned IP addresses except for the FTP address.  Now, all of our IP addresses have the correct MAC for our ASA.
Sorry I wasn't clear.  I didn't mean the MAC address of our FTP server.
Am I understanding correctly?
I'm still confused as to why they need to have the MAC for anything defined statically.  ARP processing should find that out dynamically and the ARP cache typically has a timeout when the cached entry would get deleted and ARP processing run again to find out.

Of course there is the question of, how was FTP working before hand if they did not have the FTP address defined properly to start with.
tmaususerAuthor Commented:
Yeah, it is weird.  I think their ARP table did update for our other addresses when power was restored to the ASA, but not the FTP.  Our Cisco vendor asked the same question.  The ISP said something to lead us to believe they had plugged a test laptop into our connection at an offsite location, causing the initial outage to begin with.  But I really have no idea what kind of crazy setup the telecom may have.

At any rate, the ISP did something on their end and it started working.
I really appreciate your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.