urgent: Error when access outside FTP thru ASA

Unanswered Question

I have getting this error in the log when trying to access FTP outside our LAN. Could anyone tell me what's wrong?


6|Jul 04 2007 18:53:33|302013: Built outbound TCP connection 1601826 for outside:207.46.236.102/21 (207.46.236.102/21) to inside:192.168.1.199/14561 (38.103.153.130/23862)


attached is my current config



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JBDanford2002 Wed, 07/04/2007 - 15:38
User Badges:

Thats not an error. Its just a message saying a connection was established. Is there a problem with FTP? Was it working before? When did it stop working?

srue Thu, 07/05/2007 - 05:47
User Badges:
  • Blue, 1500 points or more

why is the following command configured:

no ftp mode passive


try doing:

ftp mode passive

I had tried that and made no different. However here's the latest.

class-map inspection-default

match default-inspection-traffic

!

!

policy-map global-policy

class inspection-default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect pptp

inspect snmp

inspect ctiqbe

inspect ils

inspect mgcp

inspect icmp error

inspect icmp

class class-default

csc fail-close

inspect pptp

!

service-policy global-policy global


The above section was giving alot of problems, http access was messed up such as trouble accessing gmail.com, the ASA would reboot by itself. http access to configure ASA was messed up as well. I had to take that out for the ASA to work ok again.

Any idea why?


Then I added:

access-list inside permit tcp any any eq ftp

access-list inside permit tcp any any eq ftp-data

access-group inside in interface inside


now ftp works for most workstations on our LAN except my pc which worked perfectly before we installed the ASA.

Any idea?



Tshi M Thu, 07/05/2007 - 06:28
User Badges:
  • Silver, 250 points or more

try to remove your access-list inside. Traffic from the higher security are always allow. See if that helps.

acomiskey Thu, 07/05/2007 - 06:31
User Badges:
  • Green, 3000 points or more

If you look at his initial config he has the inside acl written perfectly. He is trying to limit outbound pptp, so he allowed pptp to 1 host, denied pptp to all others, then had a permit ip any any. This is why adding the ftp access in the acl makes no sense to me.

Actions

This Discussion