Outbound Active FTP fails, inspect ftp is enabled

jcw009 · ‎02-21-2008

I am in the process of migrating from a checkpoint to an ASA5520. One issue that I haven't been able to resolve, yet, is that outbound active ftp sessions fail when using the global ip address. (I haven't tried a static nat, but I'm about to.)

I have inspect ftp in my global policy. Yet it still fails.

Heres the policy:

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

inspect ftp

!

service-policy global_policy global

-jeff

abinjola · ‎02-21-2008

I need output for sh service-policy, sh run service-pol and also sh xlate det | inc

jcw009 · ‎02-21-2008

asa1# sh service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns migrated_dns_map_1, packet 49102202, drop 34231, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 1, drop 0, reset-drop 0

Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 1, drop 0, reset-drop 0

Inspect: rtsp, packet 1945114, drop 0, reset-drop 0

Inspect: sqlnet, packet 10, drop 0, reset-drop 0

Inspect: skinny, packet 48, drop 0, reset-drop 0

Inspect: sunrpc, packet 1, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 98209, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: icmp, packet 15650, drop 64, reset-drop 0

Inspect: icmp error, packet 222068, drop 1136, reset-drop 0

Inspect: ftp, packet 3297, drop 0, reset-drop 0

asa1#

asa1# sh ru service-policy

service-policy global_policy global

asa1#

asa1# sh xlate det | g 172.30.40.75

TCP PAT from inside:172.30.40.75/35331 to outside:24.97.121.10/41742 flags ri

TCP PAT from inside:172.30.40.75/60685 to outside:24.97.121.10/41617 flags ri

TCP PAT from inside:172.30.40.75/38949 to outside:24.97.121.10/31863 flags ri

TCP PAT from inside:172.30.40.75/59735 to outside:24.97.121.10/29149 flags ri

TCP PAT from inside:172.30.40.75/34158 to outside:24.97.121.10/28513 flags ri

TCP PAT from inside:172.30.40.75/34157 to outside:24.97.121.10/28509 flags ri

TCP PAT from inside:172.30.40.75/40128 to outside:24.97.121.10/21046 flags ri

TCP PAT from inside:172.30.40.75/51427 to outside:24.97.121.10/21045 flags ri

TCP PAT from inside:172.30.40.75/41908 to outside:24.97.121.10/21043 flags ri

TCP PAT from inside:172.30.40.75/50132 to outside:24.97.121.10/21040 flags ri

asa1#

I'm able to login with active ftp, but as soon as any data tries to move, ie dir/put/get command, session hangs.

Passive ftp is fine.

abinjola · ‎02-21-2008

I don't see any port 21 request in asa1# sh xlate det | g 172.30.40.75

What do you see in the logs ? , can you try from any other ftp client, core ftp client(do a google)

jwalker · ‎02-21-2008

Also, you should run the command show asp drop several times in succession. If you notice any counters rapidly increasingly, you can troubleshoot that specific issue.

Cheers.

Jay