07-04-2007 03:07 PM - edited 03-11-2019 03:40 AM
I have getting this error in the log when trying to access FTP outside our LAN. Could anyone tell me what's wrong?
6|Jul 04 2007 18:53:33|302013: Built outbound TCP connection 1601826 for outside:207.46.236.102/21 (207.46.236.102/21) to inside:192.168.1.199/14561 (38.103.153.130/23862)
attached is my current config
07-04-2007 03:38 PM
Thats not an error. Its just a message saying a connection was established. Is there a problem with FTP? Was it working before? When did it stop working?
07-04-2007 03:42 PM
The ASA is recently installed (this weekend). The FTP has never worked since the first trial. I've digged up quite a bit and added the inspect ftp as well. So far no luck. I am not sure what I am missing.
We can browse the web, etc but not ftp.
07-05-2007 05:47 AM
why is the following command configured:
no ftp mode passive
try doing:
ftp mode passive
07-05-2007 06:01 AM
I had tried that and made no different. However here's the latest.
class-map inspection-default
match default-inspection-traffic
!
!
policy-map global-policy
class inspection-default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
inspect snmp
inspect ctiqbe
inspect ils
inspect mgcp
inspect icmp error
inspect icmp
class class-default
csc fail-close
inspect pptp
!
service-policy global-policy global
The above section was giving alot of problems, http access was messed up such as trouble accessing gmail.com, the ASA would reboot by itself. http access to configure ASA was messed up as well. I had to take that out for the ASA to work ok again.
Any idea why?
Then I added:
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq ftp-data
access-group inside in interface inside
now ftp works for most workstations on our LAN except my pc which worked perfectly before we installed the ASA.
Any idea?
07-05-2007 06:28 AM
try to remove your access-list inside. Traffic from the higher security are always allow. See if that helps.
07-05-2007 06:31 AM
If you look at his initial config he has the inside acl written perfectly. He is trying to limit outbound pptp, so he allowed pptp to 1 host, denied pptp to all others, then had a permit ip any any. This is why adding the ftp access in the acl makes no sense to me.
07-05-2007 07:08 AM
I am still puzzled as well. Now that it's working I can breathe a little.
Do you have any idea why the global-class inspection in the global policy would give such big problems before I removed it?
07-06-2007 08:06 AM
Latest developpment.
Ftp is working without the ACL, nor inspect ftp. However, I can only browse dir, etc, I can't do any file transfer.
I had to go into the trend micro web config of the CSC to disable file transfer scanning, then it's fine.
But that's not the way it should be, any idea why?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide