In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.
Open Passive FTP Connection through Cisco ASA5520 Firewall
I am looking for help to allow members of our LAN to access passive FTP connections through a Cisco ASA5520 Firewall. The main issue i have is that i don't speak Cisco at all. I long for a web interface but alas no. If anyone can help point me in the right direction. Here is some information that i hope is relevant.
WAN port is called Example_Outside
LAN port is called Example_Inside
If it can be done using network-object and access-list i would be very grateful. I would even be delighted to get this to work on a single PC with IP address 192.168.45.234
Thank you
WAN port is called Example_Outside
LAN port is called Example_Inside
If it can be done using network-object and access-list i would be very grateful. I would even be delighted to get this to work on a single PC with IP address 192.168.45.234
Thank you
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
I suggest you use ASDM for ASA management. So much easier for managing security rules, network groups, nested network groups, etc. Cisco routers and switches I use CLI, but ASDM GUI for ASA firewall.
Dan's comment is spot on. The only issue you may have is if you are using encrypted ftp (ftp-ssl). Since the session is encrypted the ASA can't inspect the commands. If the server supports the CCC command, after you login you can issue it. That will cause all commands to be sent in clear text so the ASA can inspect.
If the server does not support the CCC command, then you need to find out what port range the server uses for passive ftp connections and then setup a rule that allows outbound tcp packets destine to the server within that port range.
If the server does not support the CCC command, then you need to find out what port range the server uses for passive ftp connections and then setup a rule that allows outbound tcp packets destine to the server within that port range.
Hello
I have added
policy-map global_policy
class inspection_default
inspect ftp
unfortunately no change. The connection isn't encrypted. The outbound connection is fine, it's the return, it is unable to retrieve the directory listing.
Thank you for the suggestions of setting up ASDM but on a firewall of this age the spec of the PC required is XP and NOT patched with an old version of firefox - Ok to do but not an option as i am remote.
I have added
policy-map global_policy
class inspection_default
inspect ftp
unfortunately no change. The connection isn't encrypted. The outbound connection is fine, it's the return, it is unable to retrieve the directory listing.
Thank you for the suggestions of setting up ASDM but on a firewall of this age the spec of the PC required is XP and NOT patched with an old version of firefox - Ok to do but not an option as i am remote.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
1. Can you please post the result of the following command, obfuscating the real IPs?
sho run
2. ASDM is a Java app. It runs on Win XP - Win 10. No Firefox required.
sho run
2. ASDM is a Java app. It runs on Win XP - Win 10. No Firefox required.
I use ASDM on Windows 8.1 and Windows 10 using current version of Java just fine. I don't even have Firefox.
Thank you again for the replies. here is the output requested
xxxxxxFWGW.txt
xxxxxxFWGW.txt
What FTP client are you using to test with? The ftp client that comes with Windows only supports active FTP.
Is there away you can run a packet capture to verify what the client is sending out and what the server is returning? To do this you will need to run the capture in front of the firewall on the firewall.
Is there away you can run a packet capture to verify what the client is sending out and what the server is returning? To do this you will need to run the capture in front of the firewall on the firewall.
Closing down ticket - we never got a solution.
Awarding points to Dan, for the most in-depth resposnes.
Awarding points to Dan, for the most in-depth resposnes.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
policy-map global_policy
class inspection_default
inspect ftp
HTH,
Dan