Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5284
Views
0
Helpful
4
Replies

ASA 5505 cannot configure FTP and tried just about everything

Go to solution
importking
Level 1
Level 1

‎02-08-2010 12:41 PM - edited ‎02-21-2020 03:52 AM

Not sure if my unit is defective or not but I am running on a base license and cannot establish an FTP connection for the life of me. Here is my config;

Thanks in advance....

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password TGFUt.AsMHJOyury encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit tcp any host 192.168.1.110 eq ftp
access-list 100 extended permit tcp any host 192.168.1.110 eq ftp-data
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:641863a581e04222e46e2ab17a880147
: end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎02-09-2010 08:08 PM

Where is the  static nat translation, or port forwarding configuration ?

you have for acl  bellow lines ,  these access list is not even applied to outside interface of firewall.

access-list 100 extended permit tcp any host 192.168.1.110 eq ftp
access-list 100 extended permit tcp any host 192.168.1.110 eq ftp-data

how do hosts from the outside internet be able to connect to a non-public IP address such as the 192.168.1.110 ?

you need few things to correct in your configuration , first your outside interface  is set  for dynamic ip for ISP to provide public ip address seen in your config as :

interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

Number 1-  becuase we don't know what IP address the ISP has dynamically given the firewall you need to know what  address is provided  by issuing on the asa command line  show interface ip brief   and take notes on Vlan2 ip address ...  that Ip address will be the one use for hosts on the internet to be able to connect to your FTP server 192.168.1.110 .

Number 2-  becuase you do not have spared public IP address to use a one-to-one NAT translation  for your ftp server inside to a public IP on the  outside , you need to use  keyword  interface  on both your static port translation and the actual access-list 100  for the firewall to allow  that connection and forward the request to the ftp server on the inside.

static (inside,outside) tcp interface ftp 192.168.1.110  ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.110  ftp-data netmask 255.255.255.255

Then re-configure acl 100 as bellow and apply it to outside interface

access-list 100  extended permit tcp any interface outside  eq ftp
access-list 100  extended permit tcp any interface outside  eq ftp_data

access-group 100 in interface outside

Lastly   make your your FTP server is indeed running ,  remember that from outside you will use the public IP address  you got from show interface ip brief  output ,  that will be the IP that will be use to FTP from outside to inside.

Jorge Rodriguez

View solution in original post

0 Helpful
4 Replies 4

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎02-09-2010 08:08 PM

Where is the  static nat translation, or port forwarding configuration ?

you have for acl  bellow lines ,  these access list is not even applied to outside interface of firewall.

access-list 100 extended permit tcp any host 192.168.1.110 eq ftp
access-list 100 extended permit tcp any host 192.168.1.110 eq ftp-data

how do hosts from the outside internet be able to connect to a non-public IP address such as the 192.168.1.110 ?

you need few things to correct in your configuration , first your outside interface  is set  for dynamic ip for ISP to provide public ip address seen in your config as :

interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

Number 1-  becuase we don't know what IP address the ISP has dynamically given the firewall you need to know what  address is provided  by issuing on the asa command line  show interface ip brief   and take notes on Vlan2 ip address ...  that Ip address will be the one use for hosts on the internet to be able to connect to your FTP server 192.168.1.110 .

Number 2-  becuase you do not have spared public IP address to use a one-to-one NAT translation  for your ftp server inside to a public IP on the  outside , you need to use  keyword  interface  on both your static port translation and the actual access-list 100  for the firewall to allow  that connection and forward the request to the ftp server on the inside.

static (inside,outside) tcp interface ftp 192.168.1.110  ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.110  ftp-data netmask 255.255.255.255

Then re-configure acl 100 as bellow and apply it to outside interface

access-list 100  extended permit tcp any interface outside  eq ftp
access-list 100  extended permit tcp any interface outside  eq ftp_data

access-group 100 in interface outside

Lastly   make your your FTP server is indeed running ,  remember that from outside you will use the public IP address  you got from show interface ip brief  output ,  that will be the IP that will be use to FTP from outside to inside.

Jorge Rodriguez
0 Helpful

Go to solution
importking
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎02-09-2010 09:02 PM

Thanks a million Jorge!!!!

I had the access-group 100 in interface outside and removed before I did the copy and paste but the NAT translation threw me for a loop. I had a feeling NAT had something to do with it. I configured a Pix 501 for FTP and did not recall needing to do anything with NAT. Again, thanks for resolving my countless hours of frustration and steering me in the right direction.

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to importking

‎02-10-2010 06:01 AM

You're very  welcome,  glad to hlelp and  thanks for the rating.

Regards

Jorge Rodriguez
0 Helpful

Go to solution
silixious2010
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-23-2010 05:52 AM

Pity.

I tried the config you reported and I'm getting a bit crazy.

I've an ASA 5505 conected to an access-router C837 that gives to me Internet access through Dynamic IP from my ISP.

This is the config of the ASA

This is the same case the original request

Except there's first an access router, then ASA then internally a Catalyst switch

I've got internal FTP access but not from outside (from internet)

ASA Version 7.2(2)

!

hostname ASA5505

domain-name UScore.local

enable password

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.240

!

interface Vlan2

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

!

passwd

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name UScore.local

access-list 133 extended permit tcp any interface outside eq ftp-data <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

access-list 133 extended permit tcp any interface outside eq ftp <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

access-list 133 extended permit udp host 10.10.10.1 eq syslog host 192.168.1.3 eq syslog log notifications

access-list 133 extended permit ip 192.168.1.0 255.255.255.240 any log

pager lines 24

logging timestamp

logging console notifications

logging monitor notifications

logging trap notifications

logging asdm informational

logging mail debugging

logging device-id hostname

logging host inside 192.168.1.3

logging debug-trace

logging class auth mail emergencies

mtu inside 1576

mtu outside 1576

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip audit name BASIC info action reset

ip audit name ATTACK attack action drop

ip audit attack action alarm reset

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp inside 192.168.1.3 0013.8fc6.1ef8

arp inside 192.168.1.1 0016.ec48.4a16

arp inside 192.168.1.10 0002.b386.94b5

arp inside 192.168.1.9 0011.93e4.15c0

arp timeout 3600

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.240

static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

static (inside,outside) tcp interface ftp-data 192.168.1.1 ftp-data netmask 255.255.255.255 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<

access-group 133 in interface outside <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username

username

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.240 inside

no service password-recovery

service resetinbound

service resetoutside

telnet 192.168.1.3 255.255.255.255 inside

telnet timeout 3

ssh 192.168.1.3 255.255.255.255 inside

ssh timeout 10

ssh version 2

console timeout 0

management-access inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

tftp-server inside 192.168.1.1 \TFTP

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

csd enable

prompt hostname context

Cryptochecksum:c76893628ecc39821d3d379f4c7b978b

: end

So it seems to be all right

But it doesn't work

Ok I give you either my C837 config

C837#sh run

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname C837

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging buffered notifications

logging console notifications

logging monitor notifications

enable secret

enable password

!

aaa new-model

!

!

aaa authentication login local_auth local

!

aaa session-id common

no ip source-route

no ip gratuitous-arps

!

!

ip dhcp excluded-address 10.10.10.1

!

!

ip cef

ip domain name soyuz.local

no ip bootp server

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip inspect name ANTI-ATTACK icmp audit-trail on

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash:attack-drop.sdf

ip ips fail closed

ip ips deny-action ips-interface

ip ips name ANTI-ATTACK

login block-for 3600 attempts 3 within 120

!

!

crypto pki trustpoint TP-self-signed-

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate

revocation-check none

rsakeypair TP-self-signed

!

!

crypto pki certificate chain TP-self-signed

  quit

username privilege 15 user-maxlinks 2

archive

log config

  logging enable

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.252

ip access-group IDS_Eth0_Out out

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no cdp enable

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

pvc 8/32

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip access-group 139 in <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip inspect autosec_inspect out

ip ips ANTI-ATTACK in

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname

ppp chap password

ppp pap sent-username password

ppp ipcp dns request

ppp ipcp wins request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

!

!

ip access-list extended IDS_Eth0_Out

permit ip host 192.168.1.10 any

permit ip any any

logging trap notifications

logging facility syslog

logging 192.168.1.3

access-list 11 permit 10.10.10.2

access-list 102 permit ip 10.10.10.0 0.0.0.3 any

access-list 111 permit icmp any any redirect

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit udp any any eq tftp

access-list 111 deny   ip 127.0.0.0 0.255.255.255 any

access-list 111 deny   ip 192.0.0.0 0.255.255.255 any

access-list 111 deny   ip 172.0.0.0 0.255.255.255 any

access-list 111 deny   ip 10.0.0.0 0.255.255.255 any

access-list 111 deny   ip host 0.0.0.0 any

access-list 111 deny   ip 224.0.0.0 31.255.255.255 any

access-list 111 deny   icmp any any redirect

access-list 111 deny   icmp any any echo

access-list 111 deny   icmp any any echo-reply

access-list 111 permit ip any any

access-list 139 deny   ip 127.0.0.0 0.255.255.255 any

access-list 139 deny   ip 192.0.0.0 0.255.255.255 any

access-list 139 deny   ip 172.0.0.0 0.255.255.255 any

access-list 139 permit tcp any any eq ftp <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

access-list 139 permit tcp any any eq ftp-data<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

!

line con 0

no modem enable

transport output all

line aux 0

transport output none

line vty 0 4

access-class 11 in

transport input ssh

transport output ssh

!

scheduler max-task-time 5000

end

C837# 

ASA5505#

I dunno what's happening why from an Internet connection with an internal FTP server on LAN 192.168.1.1  this is not accessible

I'll have a look later

While, if someone is able to see where's my fault please tell me

Thanks in advance !!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card