urgent: Error when access outside FTP thru ASA

kpoon · ‎07-04-2007

I have getting this error in the log when trying to access FTP outside our LAN. Could anyone tell me what's wrong?

6|Jul 04 2007 18:53:33|302013: Built outbound TCP connection 1601826 for outside:207.46.236.102/21 (207.46.236.102/21) to inside:192.168.1.199/14561 (38.103.153.130/23862)

attached is my current config

JBDanford2002 · ‎07-04-2007

Thats not an error. Its just a message saying a connection was established. Is there a problem with FTP? Was it working before? When did it stop working?

kpoon · ‎07-04-2007

The ASA is recently installed (this weekend). The FTP has never worked since the first trial. I've digged up quite a bit and added the inspect ftp as well. So far no luck. I am not sure what I am missing.

We can browse the web, etc but not ftp.

srue · ‎07-05-2007

why is the following command configured:

no ftp mode passive

try doing:

ftp mode passive

kpoon · ‎07-05-2007

I had tried that and made no different. However here's the latest.

class-map inspection-default

match default-inspection-traffic

!

policy-map global-policy

class inspection-default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect pptp

inspect snmp

inspect ctiqbe

inspect ils

inspect mgcp

inspect icmp error

inspect icmp

class class-default

csc fail-close

inspect pptp

!

service-policy global-policy global

The above section was giving alot of problems, http access was messed up such as trouble accessing gmail.com, the ASA would reboot by itself. http access to configure ASA was messed up as well. I had to take that out for the ASA to work ok again.

Any idea why?

Then I added:

access-list inside permit tcp any any eq ftp

access-list inside permit tcp any any eq ftp-data

access-group inside in interface inside

now ftp works for most workstations on our LAN except my pc which worked perfectly before we installed the ASA.

Any idea?

Tshi M · ‎07-05-2007

try to remove your access-list inside. Traffic from the higher security are always allow. See if that helps.

acomiskey · ‎07-05-2007

If you look at his initial config he has the inside acl written perfectly. He is trying to limit outbound pptp, so he allowed pptp to 1 host, denied pptp to all others, then had a permit ip any any. This is why adding the ftp access in the acl makes no sense to me.

kpoon · ‎07-05-2007

I am still puzzled as well. Now that it's working I can breathe a little.

Do you have any idea why the global-class inspection in the global policy would give such big problems before I removed it?

kpoon · ‎07-06-2007

Latest developpment.

Ftp is working without the ACL, nor inspect ftp. However, I can only browse dir, etc, I can't do any file transfer.

I had to go into the trend micro web config of the CSC to disable file transfer scanning, then it's fine.

But that's not the way it should be, any idea why?