×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 Blocking FTP

Answered Question
Nov 29th, 2011
User Badges:

Hello, I am new to the site so hello to everyone. Unfortunately I am also relatively new to firewalls and could do with some help. I am working on an ASA5505 and am trying to open the ftp port. I have a server (192.168.10.202) on the local LAN which is attempting to download antivirus updates from the net via ftp.


I have attached the config and would greatly appreciate any help I can get. Thanks.




Saved

:

ASA Version 8.3(2)

!

hostname SITE

enable password XXXXXX

passwd XXXXXX

names

name 255.255.255.255 Gateway

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 202.5.170.134 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone PGT 10

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 202.5.191.130

name-server 202.5.191.160

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 192.168.10.201

host 192.168.10.201

object service RDP

service tcp source eq 3389 destination eq 3389

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network canberra

subnet 10.10.0.0 255.255.0.0

object network Gateway

host 202.5.170.133

object network goroka-rdp

host 192.168.10.201

object network Canberra_DMZ

subnet 192.168.2.0 255.255.255.0

object network melbourne

subnet 10.0.0.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object Canberra_DMZ

network-object object canberra

network-object object melbourne

object-group service DM_INLINE_SERVICE_1

service-object object RDP

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq smtp

service-object udp destination eq domain

service-object udp destination eq nameserver

service-object tcp destination eq citrix-ica

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object object RDP

service-object tcp destination eq citrix-ica

service-object tcp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_3

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq ntp

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

object-group service DM_INLINE_SERVICE_4

service-object tcp destination eq domain

service-object udp destination eq domain

service-object udp destination eq nameserver

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object NETWORK_OBJ_192.168.10.0_24 any log inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 192.168.10.207 any log

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 host 192.168.10.4 any log

access-list inside_access_in extended permit tcp object NETWORK_OBJ_192.168.10.0_24 host 119.225.105.52 eq https log

access-list inside_access_in extended permit udp object NETWORK_OBJ_192.168.10.0_24 any eq ntp log

access-list outside_access_in extended permit tcp any host 192.168.10.201 eq 3389

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any inactive

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object NETWORK_OBJ_192.168.10.0_24 log inactive

!

tcp-map WSOptions

  tcp-options range 24 31 allow

!

pager lines 24

logging enable

logging asdm notifications

flow-export destination inside 192.168.10.207 2055

flow-export template timeout-rate 1

flow-export delay flow-create 15

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-633.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static canberra canberra

!

object network goroka-rdp

nat (inside,outside) static interface service tcp 3389 3389

!

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_192.168.10.0_24 interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

http server enable

http server idle-timeout 240

http 192.168.10.0 255.255.255.0 inside

http 119.225.35.38 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 119.225.35.38

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 240

ssh timeout 60

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 150.203.1.10 source outside

webvpn

username

tunnel-group 119.225.35.38 type ipsec-l2l

tunnel-group 119.225.35.38 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 5

!

class-map WSOptions-class

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map WSOptions

class WSOptions-class

  set connection advanced-options WSOptions

policy-map global_policy

class WSOptions-class

  set connection advanced-options WSOptions

class class-default

  flow-export event-type all destination 192.168.10.207

!

service-policy global_policy global

prompt hostname context

hpm topN enable

Cryptochecksum:

: end

asdm image disk0:/asdm-633.bin

no asdm history enable



Correct Answer by Julio Carvajal about 5 years 8 months ago

Hello John,


It is a pleasure to help.


Please mark the question as answered for future users with similar issues.


Have a great night.


Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Julio Carvajal Tue, 11/29/2011 - 18:20
User Badges:
  • Purple, 4500 points or more

Hello John,


Can you add the following line on the ACL:

access-list inside_access_in line 1 permit tcp any any eq ftp


Then can you provide the following output for me:


Show run policy-map.


Regards,



Julio

fb_webuser Wed, 11/30/2011 - 08:58
User Badges:
  • Silver, 250 points or more

Hello John,


Try this:


Add access list to allow inbound ftp traffic and ftp data traffic:

access-list ftp_access line 1 permit tcp any host 192.168.10.202 eq ftp

access-list ftp_access line 2 permit tcp any host 192.168.10.202 eq ftp-data


access-group ftp_access in interface outside


Create object groups to define hosts:

object network Translated_IP

host (Ip address to which you need to translate)

object network local_lan_server


Configure manual NAT:

nat (inside,outside) source static Translated_IP local_lan_server


Configure ftp inspect:

policy-map global_policy

class inspection_default

inspect ftp


service-policy global_policy global


Hope this helps


---

Posted by WebUser Sooraj Prasad

john-little Wed, 11/30/2011 - 17:08
User Badges:

Thanks both of you guys for the responses. I actually used ASDM to add a network object and then added a rule and it appears to be working...my antivirus updates are as we speak downloading to my server.


Again really appreciate you guys helping out.


John

Correct Answer
Julio Carvajal Wed, 11/30/2011 - 17:22
User Badges:
  • Purple, 4500 points or more

Hello John,


It is a pleasure to help.


Please mark the question as answered for future users with similar issues.


Have a great night.


Julio

Actions

This Discussion