Solved: Getting illegal port error while trying to access Outside FTP

slaider76 · ‎04-29-2007

I just setup a ASA 5505...the last issue I have is I can't access FTP on the outside network.

Please see config attached.

Thanks.

Rodrigo Gurriti · ‎04-29-2007

Well you got a few weird thinks on this config

1 your global (outside) 1 has a wrong net mask

2 you have no interface specified for inside but you have a nat (inside)

3 you dont need these access lists vengra_access_in and vengra_access_out

when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside)

Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp

you need a police inspection

just type this as I have here.

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

service-policy global_policy global

This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out

to get more information on ftp go to http://slacksite.com/other/ftp.html

and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter

Pixes and ASA's are Stateful Packet Filters

View solution in original post

Rodrigo Gurriti · ‎04-29-2007

Well you got a few weird thinks on this config

1 your global (outside) 1 has a wrong net mask

2 you have no interface specified for inside but you have a nat (inside)

3 you dont need these access lists vengra_access_in and vengra_access_out

when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside)

Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp

you need a police inspection

just type this as I have here.

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

service-policy global_policy global

This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out

to get more information on ftp go to http://slacksite.com/other/ftp.html

and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter

Pixes and ASA's are Stateful Packet Filters

slaider76 · ‎04-30-2007

Thanks. What are the other weird options you see?

slaider76 · ‎04-30-2007

Well, I added what you specified and it still does not seem to work...also when I remove the vengra access list I can't get to the outside.

Using the GUI when I specify the global pool it says the netmask is optional. I did not specify and I guess what you see is what it put for a default...what do you recommend?

Thanks

Edit:

Apparently it did not keep what I put in...I saw it...I rebooted the appliance and it must have erased it...? I entered it throught the GUI command line interface...I will try again.

slaider76 · ‎04-30-2007

I re-entered and saved and it works.

Rodrigo Gurriti · ‎04-30-2007

nothing serius, but for ex.

mtu inside 1500

mtu outside 1500

mtu vengra 1500

its not really needed

PS. When you do changes on the the natting do a clear xlate and it to changes make effect !

cya