Getting illegal port error while trying to access Outside FTP

Answered Question
Apr 29th, 2007
User Badges:

I just setup a ASA 5505...the last issue I have is I can't access FTP on the outside network.


Please see config attached.


Thanks.



Attachment: 
Correct Answer by Rodrigo Gurriti about 9 years 11 months ago

Well you got a few weird thinks on this config


1 your global (outside) 1 has a wrong net mask

2 you have no interface specified for inside but you have a nat (inside)

3 you dont need these access lists vengra_access_in and vengra_access_out


when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside)


Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp


you need a police inspection


just type this as I have here.



class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http


service-policy global_policy global



This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out



to get more information on ftp go to http://slacksite.com/other/ftp.html


and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter



Pixes and ASA's are Stateful Packet Filters


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Rodrigo Gurriti Sun, 04/29/2007 - 13:28
User Badges:

Well you got a few weird thinks on this config


1 your global (outside) 1 has a wrong net mask

2 you have no interface specified for inside but you have a nat (inside)

3 you dont need these access lists vengra_access_in and vengra_access_out


when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside)


Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp


you need a police inspection


just type this as I have here.



class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http


service-policy global_policy global



This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out



to get more information on ftp go to http://slacksite.com/other/ftp.html


and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter



Pixes and ASA's are Stateful Packet Filters


slaider76 Mon, 04/30/2007 - 05:49
User Badges:

Thanks. What are the other weird options you see?

slaider76 Mon, 04/30/2007 - 06:58
User Badges:

Well, I added what you specified and it still does not seem to work...also when I remove the vengra access list I can't get to the outside.


Using the GUI when I specify the global pool it says the netmask is optional. I did not specify and I guess what you see is what it put for a default...what do you recommend?


Thanks


Edit:


Apparently it did not keep what I put in...I saw it...I rebooted the appliance and it must have erased it...? I entered it throught the GUI command line interface...I will try again.

Rodrigo Gurriti Mon, 04/30/2007 - 13:54
User Badges:

nothing serius, but for ex.

mtu inside 1500

mtu outside 1500

mtu vengra 1500


its not really needed


PS. When you do changes on the the natting do a clear xlate and it to changes make effect !


cya



Actions

This Discussion