Moving from Checkpoint to ASA. Migrated about 20% of my policies earlier this week and had to back out one. ftps from 10.60.10.205 (inside) destined for 22.214.171.124 (prod-outside). Users got error message 500 Illegal PORT range when entering pasv mode...
220 pw-sftp-cl1.nmhcrx.com FTP server (Version 6.00LS+TLS) ready.
234 AUTH SSL command successful.
SSL Session Started.
Host type (1): Automatic detect
331 Password required for myuser.
230 User myuser logged in, access restrictions apply.
215 UNIX Type: L8
Host type (2): UNIX (standard)
200 PBSZ command successful (PBSZ=0).
504 PROT command not available in FTP-SSL compatibility mode.
257 "/" is current directory.
200 Type set to A.
227 Entering Passive Mode (65,217,149,5,165,146)
connecting data channel to 126.96.36.199:165,146(42386)
500 Illegal PORT range rejected.
Port failed 500 Illegal PORT range rejected.
Ftp inspection is enabled. Do I need to exclude this from inspection because it is encrypted? If so, how do I handle the data channel and associated dynamic ports?
Tried fixup protocol ftp 21 based upon feedback in another NetPro discussion.
Also modified policy and nat rules to permit both tcp/ftp and tcp/ftp-data.
I'm new to the ASA and not having much luck with TAC. Most recent feedback from TAC "Let me do some research about it since I am not sure if FTPS is supported on ASA firewalls. I will keep you posted." Any suggestions?
Relevant configuration items.
access-list inside_nat_outbound_1 extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_12
nat (inside) 10 access-list inside_nat_outbound_1
access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings
access-group from-inside in interface inside
(DM_INLINE_TCP_12 and DM_INLINE_TCP_13 object-groups include tcp/ftp and tcp/ftp-data)
access-list mss-exceeded-acl extended permit ip any any inactive
match access-list mss-exceeded-acl
policy-map type inspect dns preset_dns_map
message-length maximum 512
id-mismatch action log
inspect h323 h225
inspect h323 ras
inspect dns preset_dns_map
set connection advanced-options mss-exceeded-map
service-policy global_policy global