07-13-2010 05:37 AM - edited 03-11-2019 11:10 AM
Ok....I'm feeling a little less intelligent everyday. So I am struggling trying to figure out why I'm unable to assign rules on my ASA
that will allow me to FTP from the DMZ side of my ASA to the Inside. Let me explain my situation
ASA 5520
Inside interface - security level 100
Outside Interface - security level 0
DMZ - security level 40
I am trying to initiate an FTP request from the DMZ side of the firewall to the Inside. I am using a Passive FTP type. Here is what
i've done to this point.
I have declared a static nat translation for the destination workstation (the one on the inside). I've actually opened up the DMZ ACL to allow my DMZ
subnet to permit IP any to any. This, I would think, should take care of any inbound FTP attempt. I have also allowed on the inside ACL for the inside workstation to talk to the DMZ subnet via IP. So basically this is what it looks like:
INSIDE DMZ
X -------------------------------------<>-------------------------------------X
10.10.10.100 ASA 192.168.1.200
static (INSIDE,DMZ) 192.168.253.10 10.10.10.100 netmask 255.255.255.255
I initiate my FTP and point it to the 192.168.253.10 address so that it goes to 10.10.10.100. From the log, it seems like the workstation is receiving
the first SYN packet with a destination of port 21, but unfortunately.....I can't get it to do anything past that. It's building connections coming inbound, but for some reason it will not allow me to see the folders or whatnot on 10.10.10.100.
I'm assuming this is all I pretty much need for FTP as long as my access lists are allowing both ways, which they should be. If someone can explain
what I'm missing, I'd greatly appreciate it. I'm not quite sure what i'm missing, but it's about to give me a anneurism!
Thanks in advance,
Solved! Go to Solution.
07-13-2010 07:24 AM
Hello,
Let us try to figure out where it is getting blocked. Can you put the
following captures on the firewall and get us the outputs?
Access-list cap permit ip host
Capture capin access-list cap interface inside
Capture capdmz access-list cap interface dmz
Once you configure above lines, run the test. Then collect the output of
"show capture capin" and "show capture capdmz". That should give us a good
idea of what is happening.
Regards,
NT
07-13-2010 05:39 AM
those 192.168.253.x's are supposed to be 192.168.1.x's......sorry...mistyped.
07-13-2010 06:24 AM
Can you enable ftp inspection under the global policy map and see if it works?
To summarize, you need to open port 21 on DMZ, the static translation along with the inspection for passive FTP.
Or open all ports from dmz and the static translation for passive FTP.
I hope it helps.
PK
07-13-2010 06:49 AM
Hello,
Your symptoms indicate that the firewall is not participating in the FTP communication between the DMZ source and the inside destination. So, the firewall does not know the dynamic ports negotiated between those two devices. So, when you issue "dir" command on the DMZ side, the DMZ client tries to open a data channel but the firewall will block it. In order to fix it, as Pkampana said, you need to enable inspect FTP.
Issue the policy-map global_policy command.
ASAwAIP-CLI(config)#policy-map global_policy
Issue the class inspection_default command.
ASAwAIP-CLI(config-pmap)#class inspection_default
Issue the inspect FTP command.
ASAwAIP-CLI(config-pmap-c)#inspect FTP
ASAwAIP-CLI(config)#service-policy global_policy global
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
Hope this helps.
Regards,
NT
07-13-2010 07:08 AM
I'm afraid its already on
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS-class
ips promiscuous fail-open
!
service-policy global_policy global
07-13-2010 07:24 AM
Hello,
Let us try to figure out where it is getting blocked. Can you put the
following captures on the firewall and get us the outputs?
Access-list cap permit ip host
Capture capin access-list cap interface inside
Capture capdmz access-list cap interface dmz
Once you configure above lines, run the test. Then collect the output of
"show capture capin" and "show capture capdmz". That should give us a good
idea of what is happening.
Regards,
NT
07-13-2010 08:14 AM
Ok...got your captures ran and this was my return information:
Results from Show capture capin
1: 02:33:25.407037 192.168.1.200.1588 > 10.10.10.100.21: S 1153469170:1153 469170(0) win 64512
2: 02:33:28.313704 192.168.1.200.1588 > 10.10.10.100.21: S 1153469170:1153 469170(0) win 64512
3: 02:33:34.329435 192.168.1.200.1588 > 10.10.10.100.21: S 1153469170:1153 469170(0) win 64512
3 packets shown
Results from Show capture capdmz
1: 02:33:25.406793 192.168.1.200.1588 > 192.168.1.10.21: S 3428421332:34 28421332(0) win 64512
2: 02:33:28.313643 192.168.1.200.1588 > 192.168.1.10.21: S 3428421332:34 28421332(0) win 64512
3: 02:33:34.329374 192.168.1.200.1588 > 192.168.1.10.21: S 3428421332:34 28421332(0) win 64512
3 packets shown
07-13-2010 08:35 AM
Hello,
OK, from the captures I see that we are seeing unidirectional traffic. Nothing is coming back from the server. It could be due to two issues. One, the server is listening on a different port. Second, the default gateway of the server is different than the firewall. Can you please verify the default gateway of the server and also make sure that the server is listening on port 21 (Check the firewall on the server as well).
Hope this helps.
Regards,
NT
07-13-2010 09:37 AM
Ok....got it figured out. Your awesome NT. Thanks for holding my hand through the troubleshooting. I think I'm going to go ahead and hang myself from the nearest tree though as my stupidity is obviously taking over my brain.
Turns out, my windows firewall on my workstation got turned on and was blocking the ftp request. Ya, I know....I should probably be banned from the forum out of sheer embarassment.
Sorry for taking up your time, but I dont think I would have been able to figure it out without your troubleshooting methods. Thanks again to each of you that posted.
07-13-2010 09:55 AM
Hello,
Glad that the issue is fixed. It does happen to all of us sometimes. We do
miss out things that are trivial :).
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: