I can't download ftp from inside my ASA 5510

Unanswered Question
Jan 28th, 2010

I just installed an ASA 5510 and got just about everything I needed on it working such as DHCP server, remote client VPN and some public servers accessible that sit on the inside network.  I configured everything with ASDM since I am new to Cisco ASA.

Today I discovered that I can't download ftp files from workstations on the inside interface.  I have searched a lot and this seems to be a somewhat common issue, but none of the things I have tried will make it work.  In general, I have seen that if these commands are in the ASA it should work:

ftp mode passive

policy-map global_policy
class inspection_default
  inspect ftp

They are, but it still won't work.  Here is an example of a failed ftp session:

brandon-svecs-computer:~ bsvec$ ftp XX.X.249.145
Connected to XX.X.249.145.
220-FileZilla Server version 0.9.23 beta
220 Welcome to NexAira Engineering FTP Site/
Name (XX.X.249.145:bsvec): username
331 Password required for username
Password:
230 Logged on
Remote system type is UNIX.
ftp> bin
200 Type set to I
ftp> get Cbeyond\ ML3.zip
local: Cbeyond ML3.zip remote: Cbeyond ML3.zip
227 Entering Passive Mode (XX,XX,249,145,7,50)
150 Connection accepted
  0% |                                                     |     0        0.00 KiB/s    --:-- ETA

Then it just sits there. One strange thing is that one of these sessions seems to have worked after 15-20 minutes when I forgot about it..

Similarly in windows the ftp download will fail through browser or command line, but on one ocassion a file downloaded 20 minutes later..

I attached my config.  Any help is much appreciated.

Thanks,

Brandon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tanveer Deewan Sat, 02/13/2010 - 13:13

There is a server in your network 10.10.10.41 with the following static nat.

static (inside,outside) xx.xx.133.242 10.10.10.41 netmask 255.255.255.255

Try to use this server as your ftp client and see if it works. This may be an issue with NAT but we need captures for the traffic flow on the two interfaces of the ASA.

Kureli Sankar Sat, 02/13/2010 - 16:48

So, this workstation on the inside is able to go out to the internet just fine? Just not able to ftp at times?

What is the gateway of this workstation?

Can you try the same ftp from a workstation that is directly connected to the inside interface sub-net? Make sure the GW is for this workstation is the firewall. If it fails collect wireshark capture on the workstation and review that or post it for us to look at.

-KS

Brandon Svec Sat, 02/13/2010 - 20:52

Thank you both for the input.  I had actually resolved this previously by not using the CSC module.  I would like to revisit this some time and make everything work with the CSC active though.  Via ASDM these are the lines that I added (then removed) that created my ftp trouble:

     object-group service DM_INLINE_TCP_1 tcp
        port-object eq ftp
        port-object eq http
        port-object eq pop3
        port-object eq smtp
      access-list global_mpc_1 line 1 extended permit tcp any any object-group DM_INLINE_TCP_1
      class-map global-class
        match access-list global_mpc_1
      policy-map global_policy
        class global-class
          csc fail-open

My understanding is that these lines tell the ASA that ftp, http, pop3 and smtp traffic will be scanned by the CSC.  Is this correct?  Any idea why this would mess up normal ftp client activity?

Thanks in advance,

Brandon

Kureli Sankar Sun, 02/14/2010 - 06:20

I do not see ftp inspection. That is required for the CSC to scan ftp traffic.

Pls. enable ftp inspection and give it a shot.

policy-map global_policy
        class global-class

          inspect ftp ---------------------> add this
          csc fail-open

-KS

Brandon Svec Sun, 02/14/2010 - 10:46

I do have "inspect ftp" in my config (see attachment to original post).  I tried doing it on CLI as you described to be sure and still nothing changed.

When I go to ASDM under configuration > traffic selection for scanning and select the default setting it creates these commands:

     object-group service DM_INLINE_TCP_1 tcp
        port-object eq  ftp
        port-object eq http
        port-object eq pop3
         port-object eq smtp
      access-list global_mpc_1 line 1 extended  permit tcp any any object-group DM_INLINE_TCP_1
      class-map  global-class
        match access-list global_mpc_1
       policy-map global_policy
        class global-class

Then ftp stops working for me or works intermittently with odd errors.  As soon as I remove the above and this config goes back to the ASA, then ftp works again:

      policy-map global_policy
        no class global-class
      no class-map global-class

In my current running config I see this:

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect ftp

KS, you suggest I put inspect ftp under "class global-class" (which I tried), but my ASDM created config has thisunder "class inspection_default"

Could this mean anything?

Thanks again,

Brandon

Actions

This Discussion