Solved: ASA 5505 blocking inbound FTP

jeremy.lebeau · ‎02-11-2010

I am trying to work on a ASA5505 that is preventing connection to a FTP server on the inside interface. I have gone through the config and config examples on the site, but I'm missing something.

The server is at 192.168.3.205 internally. There are static maps and access list entries for ftp, ftp-data, and a range of ports (41100-41110) that were configured for passive FTP connections. Still, whenever you attempt to connect from outside, it just times out.

Here is the config (IPs and such obscured obviously). Any suggestions would be well appreciated to get this thing working.

Thanks.

---

ASA5505 Config:

ASA Version 7.2(2)

!

hostname My-ASA

domain-name group.local

enable password xxxxxxxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.2.3.73 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxxxxxxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name group.local

same-security-traffic permit intra-interface

access-list 101 extended permit tcp any host 1.2.3.73 eq ftp-data

access-list 101 extended permit tcp any host 1.2.3.73 eq ftp

access-list 101 extended permit tcp any host 1.2.3.73 eq www

access-list 101 extended permit tcp any host 1.2.3.73 eq https

access-list 101 extended permit tcp any host 1.2.3.73 eq 5481

access-list 101 extended permit tcp any host 1.2.3.73 eq 23232

access-list 101 extended permit tcp any host 1.2.3.73 eq 24242

access-list 101 extended permit tcp any host 1.2.3.73 eq 41100

access-list 101 extended permit tcp any host 1.2.3.73 eq 41101

access-list 101 extended permit tcp any host 1.2.3.73 eq 41102

access-list 101 extended permit tcp any host 1.2.3.73 eq 41103

access-list 101 extended permit tcp any host 1.2.3.73 eq 41104

access-list 101 extended permit tcp any host 1.2.3.73 eq 41105

access-list 101 extended permit tcp any host 1.2.3.73 eq 41106

access-list 101 extended permit tcp any host 1.2.3.73 eq 41107

access-list 101 extended permit tcp any host 1.2.3.73 eq 41108

access-list 101 extended permit tcp any host 1.2.3.73 eq 41109

access-list 101 extended permit tcp any host 1.2.3.73 eq 41110

access-list 101 extended permit tcp any host 1.2.3.74 eq smtp

access-list 101 extended permit tcp any host 1.2.3.74 eq www

access-list 101 extended permit tcp any host 1.2.3.74 eq imap4

access-list 101 extended permit tcp any host 1.2.3.74 eq https

access-list 101 extended permit tcp any host 1.2.3.74 eq 993

access-list 101 extended permit tcp any host 1.2.3.74 eq 3389

access-list 101 extended permit tcp any host 1.2.3.75 eq ftp-data

access-list 101 extended permit tcp any host 1.2.3.75 eq ftp

access-list 101 extended permit tcp any host 1.2.3.75 eq ssh

access-list 101 extended permit tcp any host 1.2.3.75 eq www

access-list 101 extended permit tcp any host 1.2.3.75 eq https

access-list 101 extended permit tcp any host 1.2.3.76 eq www

access-list 101 extended permit tcp any host 1.2.3.76 eq https

access-list 101 extended permit tcp any host 1.2.3.77 eq www

access-list 101 extended permit tcp any host 1.2.3.77 eq https

access-list outside_cryptomap_20.20 extended permit ip any 192.168.133.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.133.0 255.255.255.0

access-list vpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn 192.168.133.10-192.168.133.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 1.2.3.74

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 1.2.3.73 ftp-data 192.168.3.205 ftp-data netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 ftp 192.168.3.205 ftp netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 www 192.168.3.210 www netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 https 192.168.3.199 https netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 5481 192.168.3.3 5481 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 23232 192.168.3.210 ssh netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 24242 192.168.3.199 ssh netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41100 192.168.3.205 41100 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41101 192.168.3.205 41101 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41102 192.168.3.205 41102 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41103 192.168.3.205 41103 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41104 192.168.3.205 41104 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41105 192.168.3.205 41105 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41106 192.168.3.205 41106 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41107 192.168.3.205 41107 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41108 192.168.3.205 41108 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41109 192.168.3.205 41109 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.73 41110 192.168.3.205 41110 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 smtp 192.168.3.1 smtp netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 www 192.168.3.1 www netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 imap4 192.168.3.1 imap4 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 https 192.168.3.1 https netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 993 192.168.3.1 993 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 3389 192.168.3.2 3389 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.75 ftp-data 192.168.3.201 ftp-data netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.75 ftp 192.168.3.201 ftp netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.75 ssh 192.168.3.201 ssh netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.75 www 192.168.3.201 www netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.75 https 192.168.3.201 https netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.76 www 192.168.3.202 www netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.76 https 192.168.3.202 https netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.77 www 192.168.3.203 www netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.77 https 192.168.3.203 https netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.3.78 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host 192.168.3.1

timeout 5

ldap-scope onelevel

group-policy vpn internal

group-policy vpn attributes

wins-server value 192.168.3.1

dns-server value 192.168.3.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_splitTunnelAcl

default-domain value group.local

group-policy VPN-RA internal

username admin password xxxxxxxx encrypted privilege 15

username ra password xxxxxxxx encrypted

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set raVPN esp-aes-256 esp-md5-hmac

crypto dynamic-map dyn1 1 match address outside_cryptomap_20.20

crypto dynamic-map dyn1 1 set transform-set raVPN

crypto dynamic-map dyn1 1 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group vpn type ipsec-ra

tunnel-group vpn general-attributes

address-pool vpn

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.3.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4458ffc7d53415403e1ce4b0b328325b

: end

Diego Armando Cambronero Arias · ‎02-11-2010

If for any reason that doesn't work try this

static (inside,outside) tcp 1.2.3.74 ftp-data 192.168.3.205 ftp-data netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 ftp 192.168.3.205 ftp netmask 255.255.255.255

access-list 101 extended permit tcp any host 1.2.3.74 eq ftp-data

access-list 101 extended permit tcp any host 1.2.3.74 eq ftp

Let me know

View solution in original post

Diego Armando Cambronero Arias · ‎02-11-2010

I would try this

policy-map global_policy

class inspection_default

Inspection ftp

Diego Armando Cambronero Arias · ‎02-11-2010

If for any reason that doesn't work try this

static (inside,outside) tcp 1.2.3.74 ftp-data 192.168.3.205 ftp-data netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.74 ftp 192.168.3.205 ftp netmask 255.255.255.255

access-list 101 extended permit tcp any host 1.2.3.74 eq ftp-data

access-list 101 extended permit tcp any host 1.2.3.74 eq ftp

Let me know

jeremy.lebeau · ‎02-11-2010

Well, I think that worked. I took out the access-list rules and static maps to the .73 address and put them back in for the .74 and it worked.

Any suggestions why? Because outbound traffic is coming from the .74 address so it mismatches when the ftp server replies?

Thanks for the help.

Diego Armando Cambronero Arias · ‎02-11-2010

Yes. You are using .73 as inbound but your reply will go out

with the 74 that you are using in the global (Outside) Port forwarding is not bi.directionl but the

normal static is.

So If you have static (IN,OUT) X Y your inside server will be accessed with the X ip and it will go to the internet with th X as well.

If you have static (IN,OUT) tcp X 21 Y 21 this will work only for inbound connections, this way will use the global that you have configured in you case.

Thanks,