06-25-2009 08:35 AM - edited 03-11-2019 08:48 AM
Hi everybody,
I have trouble with FTP connections using a ASA5510.
I have 3 LANs connected to the FW:
LAN1 (inside): 172.16.1.0/24
LAN2 (outside) 10.52.64.0/24
LAN (DMZ) 172.16.0.8/29
My FTP server (IIS FTP Server)is on the DMZ with IP address 172.16.0.10.
The FTP traffic between outside and DMZ is configurated and works fine (connection, PUT, GET...)
But, the FTP traffic between inside and DMZ doesn't work properly.
The autehntification on the FTP server is OK but, after few seconds, I always have a disconnection message "connection closed by remote host"...
I have try using "no ftp mode passive" or "ftp mode passive" but it's the same.
The ports allowed are TCP 20 and TCP 21.
Anyone have an idea to fix this issue ?
Sincerely,
Herév
06-25-2009 08:42 AM
Can you post "sh run policy-map"?
HTH,
John
06-25-2009 08:44 AM
I would try with this first.
(config)#policy-map global_policy
class inspection_default
inspect FTP
06-25-2009 09:23 AM
ftp-map GET
request-command deny get
!
ftp-map PUT
request-command deny put
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map outside-policy
class inspection_default
inspect ftp strict PUT
policy-map inside-policy
class inspection_default
inspect ftp strict GET
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy inside-policy interface inside
06-25-2009 09:29 AM
What are the loggs saying.
06-25-2009 09:53 AM
Currently, I cannot access to the FW (WAN link DOWN) but when I have try to troubleshoot, nothing really clear appears on the logs...
06-25-2009 10:25 AM
Currently, I cannot access the FW (Wan link down).
But nothing really interesting on the logs when I have done my troubleshooting.
06-25-2009 11:31 AM
please post the #show service-policy
06-25-2009 09:29 PM
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns maximum-length 512, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 103, drop 0, reset-drop 0
Inspect: h323 h225, packet 0, drop 0, reset-drop 0
Inspect: h323 ras, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: esmtp, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Interface outside:
Service-policy: outside-policy
Class-map: inspection_default
Inspect: ftp strict PUT, packet 360, drop 0, reset-drop 3
Interface inside:
Service-policy: inside-policy
Class-map: inspection_default
Inspect: ftp strict GET, packet 812, drop 282, reset-drop 17
08-08-2009 01:50 AM
Hi Herev,
I have the same problem I defined the one ftp server for from outside and its working fine while i trying to add one more ftp server define the same rule for this server its not working dont know thatr the problem i gets the same message as i trying to run put command transication table is established for 21 port but not for 20 which is data port.
Help me how can i resolve this problem.
Regards
Azhar
08-11-2009 07:03 AM
Hi Azhar:
If you're using an ACTIVE FTP client, ports 20 and 21 will work fine.
If your FTP clients use passive ftp, which is generally the case, you'd have to allow ports >1023 for the data session for FTP. Passive FTP works that way. And for ASA to allow established data connections, you should create an ACL allowing only port 20 for ftp-data.
08-11-2009 07:12 AM
Hi,
Let gonna do something. Clear the ASP drops with the command #Clear Asp Drop
then try to connect several times and then get the Asp drop with the command #Show Asp drop and send us that information.
08-11-2009 08:17 AM
What does your FTP server say?
I'm not an ASA guru but why allow only port 20 for ftp? Are you just concerned with Active FTP sessions?
08-11-2009 03:08 PM
Put in :
no service-policy outside-policy interface outside
no service-policy inside-policy interface inside
hTH
Sushil
TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide