02-21-2008 08:13 AM - edited 03-11-2019 05:06 AM
I am in the process of migrating from a checkpoint to an ASA5520. One issue that I haven't been able to resolve, yet, is that outbound active ftp sessions fail when using the global ip address. (I haven't tried a static nat, but I'm about to.)
I have inspect ftp in my global policy. Yet it still fails.
Heres the policy:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ftp
!
service-policy global_policy global
-jeff
02-21-2008 08:42 AM
I need output for sh service-policy, sh run service-pol and also sh xlate det | inc
02-21-2008 09:23 AM
asa1# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 49102202, drop 34231, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 1, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 1, drop 0, reset-drop 0
Inspect: rtsp, packet 1945114, drop 0, reset-drop 0
Inspect: sqlnet, packet 10, drop 0, reset-drop 0
Inspect: skinny, packet 48, drop 0, reset-drop 0
Inspect: sunrpc, packet 1, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 98209, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 15650, drop 64, reset-drop 0
Inspect: icmp error, packet 222068, drop 1136, reset-drop 0
Inspect: ftp, packet 3297, drop 0, reset-drop 0
asa1#
asa1# sh ru service-policy
service-policy global_policy global
asa1#
asa1# sh xlate det | g 172.30.40.75
TCP PAT from inside:172.30.40.75/35331 to outside:24.97.121.10/41742 flags ri
TCP PAT from inside:172.30.40.75/60685 to outside:24.97.121.10/41617 flags ri
TCP PAT from inside:172.30.40.75/38949 to outside:24.97.121.10/31863 flags ri
TCP PAT from inside:172.30.40.75/59735 to outside:24.97.121.10/29149 flags ri
TCP PAT from inside:172.30.40.75/34158 to outside:24.97.121.10/28513 flags ri
TCP PAT from inside:172.30.40.75/34157 to outside:24.97.121.10/28509 flags ri
TCP PAT from inside:172.30.40.75/40128 to outside:24.97.121.10/21046 flags ri
TCP PAT from inside:172.30.40.75/51427 to outside:24.97.121.10/21045 flags ri
TCP PAT from inside:172.30.40.75/41908 to outside:24.97.121.10/21043 flags ri
TCP PAT from inside:172.30.40.75/50132 to outside:24.97.121.10/21040 flags ri
asa1#
I'm able to login with active ftp, but as soon as any data tries to move, ie dir/put/get command, session hangs.
Passive ftp is fine.
02-21-2008 09:32 AM
I don't see any port 21 request in asa1# sh xlate det | g 172.30.40.75
What do you see in the logs ? , can you try from any other ftp client, core ftp client(do a google)
02-21-2008 11:16 AM
Also, you should run the command show asp drop several times in succession. If you notice any counters rapidly increasingly, you can troubleshoot that specific issue.
Cheers.
Jay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: