02-24-2009 12:16 PM - edited 03-11-2019 07:56 AM
Hi,
This was all working so I'm not sure what has changed.
We have a windows 2003 FTP server that we can access internally fine. Usually we can access over the Internet using it's public IP, but it has stopped working.
I have the following rules:
access-list outside_access_in extended permit tcp any host *.*.*.72 eq ftp
access-list outside_access_in extended permit tcp any host *.*.*.72 eq ftp-data
static (DMZ10_Web_Svrs,outside) *.*.*.72 192.168.15.4 netmask 255.255.255.255
From the Internet I get the logon page (when I go to ftp://*.*.*.72) and put my username and password in and I get accepted.
I get the message "getting contents of folder" in the left hand corner, but then get a "time out" error. If I go to the FTP server then to and look at current connections I see that I am connected.
I have rebuilt the FTP server and get the same results, I have even installed FTP on another Windows server and get the same results, so it must be on the ASA5520.
I open up port 80 and installed a simple web page and that worked.
I can see my asa has poliy maps > inspect ftp could this be anything? It's like it's an outbound issue back to the client as it works fine on the LAN.
Solved! Go to Solution.
02-24-2009 02:49 PM
Your ACL is not correct. You need to understand how Active and Passive FTP works:
Active FTP: client connects to server on port 21. Server uses port 20 to transfer data back to client. In the 2nd phase, the FTP server is the client and the FTP client is the server
Passive FTP: client connects to server on port 21. Server tells the client a port > 1024 to use for the data transfer. Client then makes a 2nd connection from its >1024 ports to the server > 1024 ports. In this scenario, the client does all the work, server does nothing.
Therefore, the second-line ACL ftp-data is not needed at all. You will never see a match in this ACL
In your scenario, since you're doing NAT, you must enable "fixup protocol ftp 21" or your FTP will fail
If you bypass the ASA, does FTP still work? If that works, it is probably a bug in the ASA code, just guessing.
02-24-2009 01:42 PM
Based on what you describe here it seems it is the standard active FTP setup, but can you confirm? is this active or passive FTP? Can you enable logging on the ASA and check it when the connection times out?
02-24-2009 02:10 PM
Hi,
It's a standard Windows 2003 FTP server in isolation mode (local user logins).
How can I tell if it is passove or active?
Also I can telnet to port 21 but not 20 even though I have this port open over the internet, should I be able to telnet to this?
I tried installing FTP on another server and get the same results over the internet too.
Plus FTP works on these servers internally
02-24-2009 02:13 PM
OK well you would have to check your FTP server but I think it is active, now can you go ahead and enable logs on your ASA to level 5 and then try the ftp connection for example
logging on
logging monitor 5
ter mon
Then try your ftp connection and see if you got logs from the relevant connection.
02-24-2009 02:29 PM
I doesn't show up anything.
I got rid of the rule and a deny came up, just to prove I did it right.
FTP works just fine internally.
02-24-2009 02:32 PM
Have you done packet captures? if so get captures on both inside and outside from the server to the client and viceversa
02-24-2009 02:49 PM
Your ACL is not correct. You need to understand how Active and Passive FTP works:
Active FTP: client connects to server on port 21. Server uses port 20 to transfer data back to client. In the 2nd phase, the FTP server is the client and the FTP client is the server
Passive FTP: client connects to server on port 21. Server tells the client a port > 1024 to use for the data transfer. Client then makes a 2nd connection from its >1024 ports to the server > 1024 ports. In this scenario, the client does all the work, server does nothing.
Therefore, the second-line ACL ftp-data is not needed at all. You will never see a match in this ACL
In your scenario, since you're doing NAT, you must enable "fixup protocol ftp 21" or your FTP will fail
If you bypass the ASA, does FTP still work? If that works, it is probably a bug in the ASA code, just guessing.
02-24-2009 03:03 PM
Do I just need to add "fixup protocol ftp 21" to the cli?
I will try to bypass the ASA too. Thing is it's all been working fine for years.
If it is active ftp, do I need an outbound rule?
02-24-2009 03:17 PM
"fixup protocol ftp 21" did it!!!
A big thanks, what does this do?
Also, could this be a bug? I'm on 8.0(3).
02-25-2009 12:16 PM
Hi,
The "fixup protocol ftp 21" doesn't appear in the CLI or ASDM, where does it go once I've added it?
What does the Fixup actually do?
Thanks
02-25-2009 12:57 PM
With the ASA 5520, the fixup replaced with inspect.
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
this functionality allows active FTP to pass through.
regards,
02-25-2009 02:09 PM
That's not correct. "fixup protocol ftp 21" allows both Active and Passive FTP to pass through. Without this command, you will have to use allow >1024 ports to enter the firewall for passive ftp and that, if you have ACL on the inside interface, you have to allow ftp-data port from the server back out.
One more thing, without "fixup protocol ftp 21", FTP will not work at all, if you have NAT.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: