cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
0
Helpful
5
Replies

unable to add ftp passive mode

Tshi M
Level 5
Level 5

I am running an ASA version 7.2(1)13. I am unable to add ftp passive mode. One of our user is unable to use command prompt with ftp but using explorer, it works fine.

5 Replies 5

Tshi M
Level 5
Level 5

I noticed that the ASA is running in multiple context mode. The system context has the "ftp passive mode" in the configuration but while in any other context, the option is not there and I am unable to set it. Is this a limitation or am I missing something?

jojuarez
Level 1
Level 1

Hi,

That command doesn't have anything to do w/ FTP traffic through the firewall:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1743677

Check if FTP inspection is enabled although to be honest I don't think that's the issue as command prompt works fine. You can run some traffic captures, here's an example. Let's suppose the FTP server IP is 192.168.1.1 (inside) w/ public IP 60.1.1.1 and that you're on the outside using IP 90.1.1.1

access-l capout permit tcp host 90.1.1.1 host 60.1.1.1 eq 21

access-l capout permit tcp host 60.1.1.1 eq 21 host 90.1.1.1

access-l capin permit tcp host 90.1.1.1 host 192.168.1.1 eq 21

access-l capin permit tcp host 192.168.1.1 eq 21 host 90.1.1.1

capture capin access-l capin int inside packet 1522

capture capout access-l capout int outside packet 1522

Then try to communicate and check the traffic w/ "sh cap capin" and "sh cap capout"

I will give it a try but my inside host are not statically natted since we are using global outside. But, command prompt does not work fine (i.e. he is able to connect to the public ftp server but he cannot run any commands such as dir). Only when using explorer or IE that all works fine.

"command prompt does work fine (i.e. he is able to connect to the public ftp server but he cannot run any commands such as dir)"

This proves that the command and control port,tcp 21, is working. In Windows command line prompt, active ftp is the default, as seen

below:

[root@LinuxES tmp]# tcpdump -i eth0 -n host 10.250.97.5 and not port 22 and not port 53

tcpdump: listening on eth0

12:59:25.494256 10.250.97.5.2692 > 192.168.15.10.ftp: S 2618926214:2618926214(0) win 65535 (DF)

12:59:25.494332 192.168.15.10.ftp > 10.250.97.5.2692: S 2423208956:2423208956(0) ack 2618926215 win 5840 (DF)

12:59:25.498603 10.250.97.5.2692 > 192.168.15.10.ftp: . ack 1 win 65535 (DF)

12:59:33.649037 192.168.15.10.ftp-data > 10.250.97.5.2696: S 2437470461:2437470461(0) win 5840 (DF)

12:59:33.655278 10.250.97.5.2696 > 192.168.15.10.ftp-data: S 522144158:522144158(0) ack 2437470462 win 65535 (DF)

12:59:33.655334 192.168.15.10.ftp-data > 10.250.97.5.2696: . ack 1 win 5840 (DF)

12:59:33.655429 192.168.15.10.ftp > 10.250.97.5.2692: P 190:229(39) ack 77 win 5840 (DF)

12:59:33.655878 192.168.15.10.ftp > 10.250.97.5.2692: P 229:253(24) ack 77 win 5840 (DF)

12:59:33.655924 192.168.15.10.ftp-data > 10.250.97.5.2696: F 1:1(0) ack 1 win 5840 (DF) [tos 0x8]

12:59:33.662853 10.250.97.5.2696 > 192.168.15.10.ftp-data: . ack 2 win 65535 (DF)

12:59:33.663533 192.168.15.10.ftp-data > 10.250.97.5.2696: . ack 2 win 5840 (DF)

What it means is that tcp port 20 from the server will initiate a connection back

to the client high random port, as seen above "ftp-data back to 2696" of the client.

At this point, the client the ftp server is the client and the client is now the

server. Confusing, isn't it?

To fix your problem at hand, do the following:

fixup protocol ftp 21

This is a legacy command in version 6.x but version 7.x and 8.x will accept this

command and convert it to MDF.

If you do not want to do that, then make everything "passive". That way, the client,

which is behind the firewall, will initiate two different connections:

client ---> FTP server (client is high-random port, server is port tcp 21,

client ---> FTP server (client is high-random port, server is random high tcp port),

That way, you put the burden on the ftp server and the firewall sitting in front of

the ftp server. It is now no longer your problem.

My prefer method of file transfer is either Securecopy (scp)

or Secure FTP (sFTP) which runs on a single tcp port 22 (aka ssh). This is much

more secure especially when transferring coporate data over the Internet.

You can test FTP on windows command line with passive ftp too, with

the command "literal pasv", as seen below:

C:\temp>ftp 199.0.216.222

Connected to 199.0.216.222.

220 (vsFTPd 1.2.0)

User (199.0.216.222:(none)): anonymous

331 Please specify the password.

Password:

230 Login successful.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode Off .

ftp> hash

Hash mark printing On ftp: (2048 bytes/hash mark) .

ftp> literal pasv

227 Entering Passive Mode (199,0,216,222,8,64)

ftp> ls *.tgz

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

226 Directory send OK.

ftp> ls *.gz

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

CCAAgentSetup-4.0.2.0.tar.gz

SNMP_Session-1.07.tar.gz

iperf-2.0.2.tar.gz

rancid-2.3.1.tar.gz

roguescanner-2.5.0.12614.tar.gz

226 Directory send OK.

ftp: 251 bytes received in 0.00Seconds 251000.00Kbytes/sec.

ftp> quit

221 Goodbye.

C:\temp>

Last but not least, if all else fails, dump the Cisco firewall and

get yourself a Juniper firewall. LOL

CCIE Security

I already have inspect ftp so i cannot use fixup protocol ftp 21. I also don't understand the following command:

"client ---> FTP server (client is high-random port, server is port tcp 21,

client ---> FTP server (client is high-random port, server is random high tcp port),"

What exactly do you mean? I tried commands that you suggested to no avail.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: