Unanswered Question
May 7th, 2010

hello world

i'm trying to let users inside to use ftp protcols on outside servers

but no matter

any one could help me to find the way thanks !!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 05/07/2010 - 02:49

1) Does it use normal FTP ie: TCP/21 for control connection?

2) When does the connection fail? Does authentication work - control connection? and data fails? or both fails?

3) Do you have "inspect ftp" configured on the global policy on the ASA?

4) Assuming you have ACL on the inside interface, have you allowed TCP/21 through?

vpancisco Fri, 05/07/2010 - 04:59

thanks for your help

from a wget ftp://xxxxxxx/xxxxx.tar.gz  PASV Don't pass

Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /xxxxxxx ... done.
==> SIZE xxxxx.tar.gz ... 6687842
==> PASV ... couldn't connect to xxxxxx port 55107: Connection timed out

i began to configure inspection map but no change ...

Panos Kampanakis Fri, 05/07/2010 - 08:08

Can you check the logs "sh logg | i ip address" to see what is dropped?

It seems you are using pasive mode.

I would suggest checking the interface ACL where the client is connected to. And keep the "inspect ftp" in the policy map.

I  hope it helps to move this forward.


vpancisco Mon, 05/10/2010 - 01:17

no things appears with the log CMD : sho log | ip

with ethier the the source or destination @ddr

i created 2 policies rules matching FTP an FTP-DATA from my NIC

i put accept in my NIC IN ACCESS LIST for FTP and FTP-DATA

and no things happen ?? still stop @ passif negociation PASV ...

if i open the range TCP 1024-65535 in my NIC IN ACCESS LIST THAT'S OK

but i don't want it to be opened, so that i can't know the state of the connection if it's an NEW RELATED OR ESTABLISHED

thank's for your interest

Jennifer Halim Mon, 05/10/2010 - 01:48

Don't configure FTP inspection for both FTP control and FTP data. You should only configure FTP inspection for FTP control.

If you are using the standard FTP control port, ie: TCP/21, then you do not need to configure any ACL to match the traffic. Just configure it under the default inspection.

After the above changes, please test again, and if it still doesn't work, please post the following:

sh run policy-map

sh run service-policy

sh service-policy

Also, what version of ASA are you running?


This Discussion