FTP through an ASA5540

Unanswered Question
Nov 21st, 2009

folks

i have an asa running v8 IOS and i'm trying to allow ftp through it but its not that straightforward

the internal client makes an outbound ftp session to an external ftp server

when the ftp credentials are authorised the external server responds by making inbound connection from source port 20 to a range of tcp ports between 8000 - 8500 

i allow an ftp session from an inside client to an external server

- rule allows source to destination for FTP

- source is nat'd to a public IP

- packet captures on the asa show the traffic going in/out the relevant interfaces

- i have an inbound rule allowing TCP 8000 - 8500 from the external server to the public nat

- FTP inspection is enabled on the default policy (strict inspection isn't enabled)

the outbound rule shows hits but the return traffic from the external server on source port 20/destination port 8000 - 8500 is getting denied

do i need to add the ports tcp 8000 - 8500 to the global inspection for a service group, i.e. destion ports TCP-8000/8500

thanks to anyone taking the time to look at this or reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Sat, 11/21/2009 - 05:24

You don't even need this

- i have an inbound rule allowing TCP 8000 - 8500 from the external server to the public nat

ftp inspection should automatically allow the data to come back in.

Now, are you sure the control channel goes on port 21? and that does hit the inspection?

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 21

where x.x.x.x is the inside client

y.y.y.y is the ftp server on the outside

should show you whether this flow is being inspected or not.

Besides that we would have to look at the captures and syslogs at the time of the problem.

Pls. check what the logs show.

mulhollandm Sat, 11/21/2009 - 13:31

kusankar

many thanks for your reply

i've been drafted in to fix this issue and wasn't involved in its setup but based on a packet capture i can see the client sending a request AUTH TLS so i suspect what i'm dealing with is FTPS

hoave you have any dealings with passing FTPS through an ASA?

thanks

Kureli Sankar Sat, 11/21/2009 - 20:37

If this is secure ftp then, inspection will not be able to look in the encrypted packet and allow the data connection automatically.  The only work around is to allow the ports via ACL (for data) which you mentioned you have already allowed.

Besides that like I previously metioned syslogs and captures are our friend.

See if you see acl hit counts on the acl applied inbound on the outside interface from the ftp server back to the translated address of the client.


Actions

This Discussion