unable to use ftp commands over the ASA firewalls

Tshi M · ‎05-27-2008

i am unable to use some ftp commands once I have established an ftp session going through the ASA firewalls. A show conn has the following output:

TCP out 199.x.x.17:0 in 10.33.64.104:2859 idle 0:01:27 bytes 0 flags i

cisco24x7 · ‎05-27-2008

try this "fixup protocol ftp 21".

It may not be an issue on your end. It may be

an issue on the FTP server itself. Did

you try both "active" and "passive" ftp?

Does ftp work if you bypass the ASA?

gen2-linux:/root>cd /tmp/tmp

gen2-linux:/tmp/tmp>ftp 4.2.16.5

Connected to 4.2.16.5 (4.2.16.5).

220 dca2-Nokia-1-P FTP server (Version 6.00) ready.

Name (4.2.16.5:root): admin

500 'AUTH SSL': command not understood.

SSL not available

331 Password required for admin.

Password:

230 User admin logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> passive

Passive mode on.

ftp> ls

227 Entering Passive Mode (164,109,16,5,156,64)

150 Opening ASCII mode data connection for '/bin/ls'.

total 11168720

-rw-rw-r-- 1 root wheel 29 Nov 6 2007 .bash_history

-rw------- 1 root wheel 1968 Jul 11 2007 .clish_history

-rwxr-xr-x 1 root wheel 1039 May 11 2007 .cshrc

-rw------- 1 root wheel 14028 May 14 14:13 .history

-rw-rw-r-- 1 root wheel 415 Jul 18 2007 .iclid_history

-rwxr-xr-x 1 root wheel 114 May 11 2007 .login

-rwxr-xr-x 1 root wheel 580 May 11 2007 .profile

226 Transfer complete.

ftp> passive

Passive mode off.

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for '/bin/ls'.

total 11168720

-rw-rw-r-- 1 root wheel 29 Nov 6 2007 .bash_history

-rw------- 1 root wheel 1968 Jul 11 2007 .clish_history

-rwxr-xr-x 1 root wheel 1039 May 11 2007 .cshrc

-rw------- 1 root wheel 14028 May 14 14:13 .history

-rw-rw-r-- 1 root wheel 415 Jul 18 2007 .iclid_history

-rwxr-xr-x 1 root wheel 114 May 11 2007 .login

-rwxr-xr-x 1 root wheel 580 May 11 2007 .profile

drwx------ 2 root wheel 512 Mar 6 12:13 .ssh

226 Transfer complete.

ftp> quit

221 Goodbye.

gen2-linux:/tmp/tmp>

CCIE Security

Tshi M · ‎05-27-2008

It works fine when I use Linux but not windows. It also only works in Linux active mode. If I used the command pasv which turns off passive mode, it no longer works.

cisco24x7 · ‎05-27-2008

"It also only works in Linux active mode. If I used the command pasv which turns off passive mode, it no longer work"

This makes no sense. When you turn off passive

mode, it becomes "active". You also stated

that "it only works in Linux active mode".

Now I am confused.

Does the FTP server accept both active and

passive mode? Is it a linux FTP server

running vsFTPd? can you verify the

vsfptd.conf configuration file to confirm

the following:

pam_service_name=vsftpd

userlist_enable=YES

listen=YES

pasv_enable=YES

port_enable=YES

this tells me that both active and passive ftp

mode is allowed on the server.

As I've said before, it may not be an issue

on your side but on the FTP server. That ftp

server may be sitting behind a firewall and

doing some crazy stuffs.

Tshi M · ‎05-28-2008

You are right, I did make a typo in my statement. However, when I typed the command "pas", I got "passive mode off", which to me means that it is now in active mode.

I am not sure if the ftp server accepts both type since I don't manage it. I will try to find out from the other party.

Thanks again,