FTP

Answered Question
Feb 11th, 2011

I am trying to NAT my FTP to the outside.  I can't get to that IP.  Am I missing something?  I have FTP allowed in access rules.

For NAT

static NAT

inside  - to the internal IP

Outside - external IP

I can ping the server from firewall internally.  What else can I do to test?

I have this problem too.
0 votes
Correct Answer by Paul Gilbert Arias about 3 years 2 months ago

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 672, drop 0, reset-drop 0

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Paul Gilbert Arias Fri, 02/11/2011 - 08:17

are you trying a static NAT for your FTP server?

For example:

FTP 192.168.1.10

NATed IP 66.12.66.10

stat (inside,outside) 66.12.66.10 192.168.1.10

Is that what you are trying?

Paul Gilbert Arias Fri, 02/11/2011 - 08:52

if you have a similar static NAT it seems correct. Are there any ACLs on the inside interface that could prevent the traffic from going out. Is the NATed IP on your range of outside IPs?

If you can send the config it would be great.

Paul Gilbert Arias Fri, 02/11/2011 - 11:32

thanks for the config. If you are trying to allow FTP traffic from the outside to the inside it won't work since you are denying the traffic in the first two lines of your access-l outside_access_in.

Is this the test that you are trying? FTP to the SGA_Website_NAT address coming from the outside?

Lewis_Cipher Fri, 02/11/2011 - 12:39

Hey Paul,

The Deny is on purpose unti l can get it to work I have it on deny.  Yes the NAT is SGA_Website_NAT.  It is called website becasue we got rid of that and I changed the nat for our FTP server now.  I can get to the website internally, but not externally, when I try the NAT ip address on the outside...

Paul Gilbert Arias Fri, 02/11/2011 - 12:44

do you see hitcounts on the ACL after the testing? If there are not hitcounts that means that the traffic is not getting to your ASA.

Paul Gilbert Arias Fri, 02/11/2011 - 13:29

Your FTP server has a default gateway? It should be your ASA 10.1.101.1. Make sure the FTP service is up.

Lewis_Cipher Mon, 02/14/2011 - 08:48

I can get to the FTP Internally, I can ping the FTP from the ASA.  I can't get the external IP to hit the internal via the internet.  This one is bugging me.  I run a packet trace from the External IP to the ASA and the packet succeeds.  The Gateway of the FTP is the ASA IP.  The services are running because I can get the FTP site in the DMZ zone.  Any othe ideas?

Paul Gilbert Arias Mon, 02/14/2011 - 08:54

do you have any other filtering device such as an IPS?

We could set some captures on the ASA inside interface to see if the packet returns to the ASA and how it returns.

Lewis_Cipher Mon, 02/14/2011 - 09:07

I am getting a failure when packet tracing from ASA to the FTP server on inside interface.  Do I need to allow this internally...  Any Less secure networks are allowed IP...

Paul Gilbert Arias Mon, 02/14/2011 - 12:59

if the traffic is coming from outside to inside you just need the ACLs on the outside. Also make sure you have the inspect ftp on your policy map

Paul Gilbert Arias Tue, 02/15/2011 - 07:25

yes, for example:

policy-map global_policy

class inspection_default

  inspect ftp

!

service-policy global_policy global

Lewis_Cipher Wed, 02/16/2011 - 06:59

The inspect ftp command is not working, can i just add it through the GUI interface?

Paul Gilbert Arias Wed, 02/16/2011 - 07:04

what do you mean is not working? Is not configured?

If it is not configured then you can add it by CLI or GUI under the global policy.

Lewis_Cipher Wed, 02/16/2011 - 09:39

Reply: 220 Microsoft FTP Service

Command: CLNT http://ftptest.net on behalf of 63.61..x.x

Reply: 500 'CLNT http://ftptest.net on behalf of 63.61.x.x: command not understood

Command: USER anonymous

Reply: 331  access allowed, send identity (e-mail name) as password.

Command: PASS **********************

Reply: 230  user logged in.

Command: SYST

Reply: 215 Windows_NT

Command: FEAT

Reply: 211-FEAT

Reply: SIZE

Error: FEAT response lines must begin with a single space character

Error when typing in command for FTP....

the first two lines work but the last one, "inspect FTP"  does not work...

Correct Answer
Paul Gilbert Arias Wed, 02/16/2011 - 19:34

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 672, drop 0, reset-drop 0

Lewis_Cipher Fri, 02/18/2011 - 05:51

I can get to where I go to the external address and I get a login box.  However, when I type in the password it times out now.  Looking at the log on the FTP server, the account is logging in.

Lewis_Cipher Mon, 02/14/2011 - 12:54

I am checking to see if the Router is open to FTP... I will post back back in a few.

Lewis_Cipher Wed, 02/16/2011 - 06:40

FTP test I get this error????

Error: FEAT response lines must begin with a single space character

Lewis_Cipher Thu, 02/17/2011 - 11:30

I can get HTTP to work from same server.  There must be something blocking the FTP.  Do I need to open more ports for the FTP?  The packet trace is not helping.  I am going to try and use the packet capture to see if that helps.

mayrojas Fri, 02/18/2011 - 21:13

Excellent Idea,

How far do you get when you try to FTP to your server? If you get the login prompt and the password just timeouts, we may need 2 things in order to sort this out....

Logs from the connection

Packet capture

Show service policy

If you can get the login prompt but the password timeouts, I dont think it is a problem with the inspection, since the inspection takes place only when there is a file transfer about to begin.

Please feel free to gather that information, if you like you can send it as a Private message to Paul and Me, I think he would like to check those packet captures too as much as I do.

Cheers.....

Mike

Actions

Login or Register to take actions

This Discussion

Posted February 11, 2011 at 7:26 AM
Stats:
Replies:27 Avg. Rating:5
Views:1600 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446