03-07-2008 11:53 AM - edited 03-11-2019 05:14 AM
I am running an ASA version 7.2(1)13. I am unable to add ftp passive mode. One of our user is unable to use command prompt with ftp but using explorer, it works fine.
03-07-2008 01:31 PM
I noticed that the ASA is running in multiple context mode. The system context has the "ftp passive mode" in the configuration but while in any other context, the option is not there and I am unable to set it. Is this a limitation or am I missing something?
03-08-2008 08:08 PM
Hi,
That command doesn't have anything to do w/ FTP traffic through the firewall:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1743677
Check if FTP inspection is enabled although to be honest I don't think that's the issue as command prompt works fine. You can run some traffic captures, here's an example. Let's suppose the FTP server IP is 192.168.1.1 (inside) w/ public IP 60.1.1.1 and that you're on the outside using IP 90.1.1.1
access-l capout permit tcp host 90.1.1.1 host 60.1.1.1 eq 21
access-l capout permit tcp host 60.1.1.1 eq 21 host 90.1.1.1
access-l capin permit tcp host 90.1.1.1 host 192.168.1.1 eq 21
access-l capin permit tcp host 192.168.1.1 eq 21 host 90.1.1.1
capture capin access-l capin int inside packet 1522
capture capout access-l capout int outside packet 1522
Then try to communicate and check the traffic w/ "sh cap capin" and "sh cap capout"
03-09-2008 08:27 AM
I will give it a try but my inside host are not statically natted since we are using global outside. But, command prompt does not work fine (i.e. he is able to connect to the public ftp server but he cannot run any commands such as dir). Only when using explorer or IE that all works fine.
03-09-2008 10:14 AM
"command prompt does work fine (i.e. he is able to connect to the public ftp server but he cannot run any commands such as dir)"
This proves that the command and control port,tcp 21, is working. In Windows command line prompt, active ftp is the default, as seen
below:
[root@LinuxES tmp]# tcpdump -i eth0 -n host 10.250.97.5 and not port 22 and not port 53
tcpdump: listening on eth0
12:59:25.494256 10.250.97.5.2692 > 192.168.15.10.ftp: S 2618926214:2618926214(0) win 65535
12:59:25.494332 192.168.15.10.ftp > 10.250.97.5.2692: S 2423208956:2423208956(0) ack 2618926215 win 5840
12:59:25.498603 10.250.97.5.2692 > 192.168.15.10.ftp: . ack 1 win 65535 (DF)
12:59:33.649037 192.168.15.10.ftp-data > 10.250.97.5.2696: S 2437470461:2437470461(0) win 5840
12:59:33.655278 10.250.97.5.2696 > 192.168.15.10.ftp-data: S 522144158:522144158(0) ack 2437470462 win 65535
12:59:33.655334 192.168.15.10.ftp-data > 10.250.97.5.2696: . ack 1 win 5840
12:59:33.655429 192.168.15.10.ftp > 10.250.97.5.2692: P 190:229(39) ack 77 win 5840 (DF)
12:59:33.655878 192.168.15.10.ftp > 10.250.97.5.2692: P 229:253(24) ack 77 win 5840 (DF)
12:59:33.655924 192.168.15.10.ftp-data > 10.250.97.5.2696: F 1:1(0) ack 1 win 5840
12:59:33.662853 10.250.97.5.2696 > 192.168.15.10.ftp-data: . ack 2 win 65535
12:59:33.663533 192.168.15.10.ftp-data > 10.250.97.5.2696: . ack 2 win 5840
What it means is that tcp port 20 from the server will initiate a connection back
to the client high random port, as seen above "ftp-data back to 2696" of the client.
At this point, the client the ftp server is the client and the client is now the
server. Confusing, isn't it?
To fix your problem at hand, do the following:
fixup protocol ftp 21
This is a legacy command in version 6.x but version 7.x and 8.x will accept this
command and convert it to MDF.
If you do not want to do that, then make everything "passive". That way, the client,
which is behind the firewall, will initiate two different connections:
client ---> FTP server (client is high-random port, server is port tcp 21,
client ---> FTP server (client is high-random port, server is random high tcp port),
That way, you put the burden on the ftp server and the firewall sitting in front of
the ftp server. It is now no longer your problem.
My prefer method of file transfer is either Securecopy (scp)
or Secure FTP (sFTP) which runs on a single tcp port 22 (aka ssh). This is much
more secure especially when transferring coporate data over the Internet.
You can test FTP on windows command line with passive ftp too, with
the command "literal pasv", as seen below:
C:\temp>ftp 199.0.216.222
Connected to 199.0.216.222.
220 (vsFTPd 1.2.0)
User (199.0.216.222:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> bin
200 Switching to Binary mode.
ftp> prompt
Interactive mode Off .
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> literal pasv
227 Entering Passive Mode (199,0,216,222,8,64)
ftp> ls *.tgz
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls *.gz
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
CCAAgentSetup-4.0.2.0.tar.gz
SNMP_Session-1.07.tar.gz
iperf-2.0.2.tar.gz
rancid-2.3.1.tar.gz
roguescanner-2.5.0.12614.tar.gz
226 Directory send OK.
ftp: 251 bytes received in 0.00Seconds 251000.00Kbytes/sec.
ftp> quit
221 Goodbye.
C:\temp>
Last but not least, if all else fails, dump the Cisco firewall and
get yourself a Juniper firewall. LOL
CCIE Security
03-10-2008 02:14 PM
I already have inspect ftp so i cannot use fixup protocol ftp 21. I also don't understand the following command:
"client ---> FTP server (client is high-random port, server is port tcp 21,
client ---> FTP server (client is high-random port, server is random high tcp port),"
What exactly do you mean? I tried commands that you suggested to no avail.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: