FTP issue

Unanswered Question
Sep 1st, 2010

I have a server on a dmz that can ftp a file using the web browser and you can connect to the ftp server via the command line.   However, when one of the developers tries to use a script to transfer the file it does not work.  Additionally, when you connect to the ftp server via the command line and try to run the ls command you receive an error message saying " 500 illegal port".

I know that ftp is allowed on the firewall and ftp is part of the default global inspection policy.  It looks like this is a PASV vs active issue.  However in windows it does not allow you to swtich to passive mode.

Other then opening up all high level ports for this connection , does anyone have a suggestion on what/ if anything I can do on the firewall?

thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Wed, 09/01/2010 - 07:37

Hey,

Could you provide details as to where is the client located with respect to the ASA and also IP address details of the ASA and the server along with the current ASA config (with altered IP addresses if needed)? We can go through that and see if we notice anything wrong on the ASA.

Thanks and Regards,

Prapanch

lkadlik Wed, 09/01/2010 - 08:33

The client is on the dmz and can connect to the ftp server via the command line and transfer the file using a browser.

a.b.c.f is the ftp server

a.b.c.g is the client

The relevant parts of the config are as follows:

:

ASA Version 8.0(3)

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address a.b.c.d 255.255.255.0 standby a.b.c.e

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.20.30.2 255.255.255.0 standby 10.20.30.3

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/2.1

description LAN Failover Interface

vlan 28

!

interface GigabitEthernet0/2.2

description STATE Failover Interface

vlan 29

!

interface GigabitEthernet0/3

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.50.2 255.255.255.0 standby 192.168.50.3

!

interface Management0/0

shutdown

nameif managment

security-level 100

no ip address

!

same-security-traffic permit inter-interface

object-group network FTP

network-object host a.b.c.f

object-group service FTP_service

service-object tcp eq ftp-data

service-object tcp eq ftp

service-object tcp range 5500 5700

 

access-list acl_Inside extended deny object-group Anonymous any object-group BlackList

access-list acl_Inside extended deny ip a.b.c.0 255.255.255.0 any

access-list acl_Inside extended deny ip 192.168.50.0 255.255.255.0 any

access-list acl_Inside extended deny ip host 255.255.255.255 any

access-list acl_Inside extended deny ip 127.0.0.0 255.0.0.0 any

access-list acl_Inside extended permit ip any any

access-list acl_DMZ extended permit tcp host 192.168.50.51 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.246 eq smtp

access-list acl_DMZ extended deny ip 192.168.50.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list acl_DMZ extended permit ip 192.168.50.0 255.255.255.0 any

access-list acl_Outside extended permit object-group FTP_service any object-group FTP

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu managment 1500

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

 

static (inside,outside) a.b.c.f 10.20.30.55 netmask 255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102 netmask 255.255.255.255

access-group acl_Outside in interface outside

access-group acl_Inside in interface inside

access-group acl_DMZ in interface dmz

!

!

policy-map Global_Policy

description Global Policy for Traffic Inspection

class Inspection_Default

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect ipsec-pass-thru

inspect mgcp

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect snmp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

!

service-policy Global_Policy global

prompt hostname context

Cryptochecksum:fd174eacd4f91d6b5b3ef484f5365abe

: end

praprama Wed, 09/01/2010 - 08:40

Hi,

You have mentioned that both the client and the serve rare on the DMZ. But in the config i see the below 2 static commands redircting a.b.c.f (server) and a.b.c.g (client) to the inside interface.

static (inside,outside) a.b.c.f 10.20.30.55 netmask  255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102  netmask 255.255.255.255

I am not quite sure about the topology yet. Could you clarify things a little bit more here?

Regards,

Prapanch

lkadlik Wed, 09/01/2010 - 14:47

It looks like this might be a barracuda issue.  Thank you for taking the time to respond to me

Actions

This Discussion

Related Content