Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
0
Helpful
5
Replies

ASA 5520 FTP/FTP PASSIF

vpancisco
Level 1
Level 1

‎05-07-2010 02:03 AM - edited ‎03-11-2019 10:42 AM

hello world

i'm trying to let users inside to use ftp protcols on outside servers

but no matter

any one could help me to find the way thanks !!!

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-07-2010 02:49 AM

1) Does it use normal FTP ie: TCP/21 for control connection?

2) When does the connection fail? Does authentication work - control connection? and data fails? or both fails?

3) Do you have "inspect ftp" configured on the global policy on the ASA?

4) Assuming you have ACL on the inside interface, have you allowed TCP/21 through?

0 Helpful

vpancisco
Level 1
Level 1
In response to Jennifer Halim

‎05-07-2010 04:59 AM

thanks for your help

from a wget ftp://xxxxxxx/xxxxx.tar.gz  PASV Don't pass

Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /xxxxxxx ... done.
==> SIZE xxxxx.tar.gz ... 6687842
==> PASV ... couldn't connect to xxxxxx port 55107: Connection timed out
Retrying.

i began to configure inspection map but no change ...

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vpancisco

‎05-07-2010 08:08 AM

Can you check the logs "sh logg | i ip address" to see what is dropped?

It seems you are using pasive mode.

I would suggest checking the interface ACL where the client is connected to. And keep the "inspect ftp" in the policy map.

I  hope it helps to move this forward.

PK

0 Helpful

vpancisco
Level 1
Level 1
In response to Panos Kampanakis

‎05-10-2010 01:17 AM

no things appears with the log CMD : sho log | ip xxx.xxx.xxx.xxx

with ethier the the source or destination @ddr

i created 2 policies rules matching FTP an FTP-DATA from my NIC

i put accept in my NIC IN ACCESS LIST for FTP and FTP-DATA

and no things happen ?? still stop @ passif negociation PASV ...

if i open the range TCP 1024-65535 in my NIC IN ACCESS LIST THAT'S OK

but i don't want it to be opened, so that i can't know the state of the connection if it's an NEW RELATED OR ESTABLISHED

thank's for your interest

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to vpancisco

‎05-10-2010 01:48 AM

Don't configure FTP inspection for both FTP control and FTP data. You should only configure FTP inspection for FTP control.

If you are using the standard FTP control port, ie: TCP/21, then you do not need to configure any ACL to match the traffic. Just configure it under the default inspection.

After the above changes, please test again, and if it still doesn't work, please post the following:

sh run policy-map

sh run service-policy

sh service-policy

Also, what version of ASA are you running?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card