07-18-2010 08:37 PM - edited 03-11-2019 11:13 AM
Hi ,
I am trying to get Passive Mode FTP working through our Firewall and for some reason we can only get Active Mode FTP to work !!!
We can only access the internal Host web1 on active mode ftp sessions !!
I have the followiong rules/policies setup and it is still not working.
ASA Version 8.2(1)
ftp mode passive
access-list inbound_outside extended permit tcp any host web1-xlate eq ftp
access-list inbound_outside extended permit tcp any host web1-xlate eq ftp-data
policy-map global_policy
service-policy global_policy global
inspection default
inspect FTP
Any assistance would be greatly appreciate !!
Thanks Simon
07-18-2010 09:14 PM
Hello,
Can you please check from your internal network to see if Passive FTP is
enabled on the server? If that checks out, then please make sure that you
have one-to-one NAT configured for the server IP.
Static (inside,dmz) any
Capture capin access-list cap interface inside
Capture capdmz access-list cap interface dmz
Once you run the test, then collect the output to see if the traffic is
passing through the firewall.
"show capture capin"
"show capture capdmz"
That should give us a fair idea of what is blocking the FTP traffic.
Hope this helps.
Regards,
NT
07-18-2010 09:29 PM
Hi NT,
We are running IIS 6.0 on this internal Windows Server. The firewall on the Windows IIS Box is not enabled which should in theory make enabled both Active & Passive FTP connection
There is a static one to one nat between the internal host and the outside with an Public IP address !!
static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500
Will run captures shortly
SG
07-18-2010 09:34 PM
Also NT,
some more info when we try and connect from an external ftp client using Passive FTP, the connection is established and we can view the directories but when we start the upload it transfers very slow as the client cannot initiate the ftp data connection !!!
07-18-2010 09:45 PM
Hello,
If you are able to view the directories using passive FTP, the connection in
general is working fine. If the data transfer rate is very slow, then I
would suggest you start looking at the server (test the speed from behind
the firewall first) and then check for any MSS inconsistencies. Also, you
might want to check to see if there are any out-of-order drops.
"show service-policy" and "show asp drop" are the commands that could be
useful.
Hope this helps.
Regards,
NT
07-18-2010 09:52 PM
Hi Nt,
I am seeing no dropped packets when view the FTP ( sh service-policy )
I am also getting hits on the acl that is permitting ftp from outside !!
07-18-2010 10:08 PM
Hello,
Can you do a directory listing when you are connected to the FTP server via
passive FTP?
Regards,
NT
07-18-2010 11:06 PM
Hi NT,
Yes this is possible !!
It is just the transfer speed is really slow and the ftp client keeps responding with " data connection already open, transfer starting
07-18-2010 11:14 PM
Hello,
Can you please post the output of "show asp drop" from the firewall?
Regards,
NT
07-18-2010 11:36 PM
07-19-2010 01:30 AM
07-19-2010 07:25 AM
Hello Simon,
The capture indicates that after the initial connection establishment, when
you try to store something, there is a delay in opening data connection. I
did not find any return traffic from the server side in the capture. I am
guessing that the delay is due to the delay occurred in getting an
acknowledgement from the server side. The delay seems to be in terms of
seconds rather than milliseconds. So, the problem seems to be on the server
end (firewall cannot delay packets to the magnitude of seconds). I am
guessing that when you go to passive mode, the server is trying to allocate
the port and is getting delayed there. If possible, collect the capture on
the server side as well (bi-directional traffic). That could help us narrow
down on the root cause.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: