Can't access FTP server over Internet through ASA

Answered Question
Feb 24th, 2009

Hi,

This was all working so I'm not sure what has changed.

We have a windows 2003 FTP server that we can access internally fine. Usually we can access over the Internet using it's public IP, but it has stopped working.

I have the following rules:

access-list outside_access_in extended permit tcp any host *.*.*.72 eq ftp

access-list outside_access_in extended permit tcp any host *.*.*.72 eq ftp-data

static (DMZ10_Web_Svrs,outside) *.*.*.72 192.168.15.4 netmask 255.255.255.255

From the Internet I get the logon page (when I go to ftp://*.*.*.72) and put my username and password in and I get accepted.

I get the message "getting contents of folder" in the left hand corner, but then get a "time out" error. If I go to the FTP server then to and look at current connections I see that I am connected.

I have rebuilt the FTP server and get the same results, I have even installed FTP on another Windows server and get the same results, so it must be on the ASA5520.

I open up port 80 and installed a simple web page and that worked.

I can see my asa has poliy maps > inspect ftp could this be anything? It's like it's an outbound issue back to the client as it works fine on the LAN.

I have this problem too.
0 votes
Correct Answer by daviddtran about 7 years 10 months ago

Your ACL is not correct. You need to understand how Active and Passive FTP works:

Active FTP: client connects to server on port 21. Server uses port 20 to transfer data back to client. In the 2nd phase, the FTP server is the client and the FTP client is the server

Passive FTP: client connects to server on port 21. Server tells the client a port > 1024 to use for the data transfer. Client then makes a 2nd connection from its >1024 ports to the server > 1024 ports. In this scenario, the client does all the work, server does nothing.

Therefore, the second-line ACL ftp-data is not needed at all. You will never see a match in this ACL

In your scenario, since you're doing NAT, you must enable "fixup protocol ftp 21" or your FTP will fail

If you bypass the ASA, does FTP still work? If that works, it is probably a bug in the ASA code, just guessing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Tue, 02/24/2009 - 13:42

Based on what you describe here it seems it is the standard active FTP setup, but can you confirm? is this active or passive FTP? Can you enable logging on the ASA and check it when the connection times out?

whiteford Tue, 02/24/2009 - 14:10

Hi,

It's a standard Windows 2003 FTP server in isolation mode (local user logins).

How can I tell if it is passove or active?

Also I can telnet to port 21 but not 20 even though I have this port open over the internet, should I be able to telnet to this?

I tried installing FTP on another server and get the same results over the internet too.

Plus FTP works on these servers internally

Ivan Martinon Tue, 02/24/2009 - 14:13

OK well you would have to check your FTP server but I think it is active, now can you go ahead and enable logs on your ASA to level 5 and then try the ftp connection for example

logging on

logging monitor 5

ter mon

Then try your ftp connection and see if you got logs from the relevant connection.

whiteford Tue, 02/24/2009 - 14:29

I doesn't show up anything.

I got rid of the rule and a deny came up, just to prove I did it right.

FTP works just fine internally.

Ivan Martinon Tue, 02/24/2009 - 14:32

Have you done packet captures? if so get captures on both inside and outside from the server to the client and viceversa

Correct Answer
daviddtran Tue, 02/24/2009 - 14:49

Your ACL is not correct. You need to understand how Active and Passive FTP works:

Active FTP: client connects to server on port 21. Server uses port 20 to transfer data back to client. In the 2nd phase, the FTP server is the client and the FTP client is the server

Passive FTP: client connects to server on port 21. Server tells the client a port > 1024 to use for the data transfer. Client then makes a 2nd connection from its >1024 ports to the server > 1024 ports. In this scenario, the client does all the work, server does nothing.

Therefore, the second-line ACL ftp-data is not needed at all. You will never see a match in this ACL

In your scenario, since you're doing NAT, you must enable "fixup protocol ftp 21" or your FTP will fail

If you bypass the ASA, does FTP still work? If that works, it is probably a bug in the ASA code, just guessing.

whiteford Tue, 02/24/2009 - 15:03

Do I just need to add "fixup protocol ftp 21" to the cli?

I will try to bypass the ASA too. Thing is it's all been working fine for years.

If it is active ftp, do I need an outbound rule?

whiteford Tue, 02/24/2009 - 15:17

"fixup protocol ftp 21" did it!!!

A big thanks, what does this do?

Also, could this be a bug? I'm on 8.0(3).

whiteford Wed, 02/25/2009 - 12:16

Hi,

The "fixup protocol ftp 21" doesn't appear in the CLI or ASDM, where does it go once I've added it?

What does the Fixup actually do?

Thanks

Tshi M Wed, 02/25/2009 - 12:57

With the ASA 5520, the fixup replaced with inspect.

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

this functionality allows active FTP to pass through.

regards,

cisco24x7 Wed, 02/25/2009 - 14:09

That's not correct. "fixup protocol ftp 21" allows both Active and Passive FTP to pass through. Without this command, you will have to use allow >1024 ports to enter the firewall for passive ftp and that, if you have ACL on the inside interface, you have to allow ftp-data port from the server back out.

One more thing, without "fixup protocol ftp 21", FTP will not work at all, if you have NAT.

Actions

This Discussion