Solved: ASA 5505 Blocking FTP

john-little · ‎11-29-2011

Hello, I am new to the site so hello to everyone. Unfortunately I am also relatively new to firewalls and could do with some help. I am working on an ASA5505 and am trying to open the ftp port. I have a server (192.168.10.202) on the local LAN which is attempting to download antivirus updates from the net via ftp.

I have attached the config and would greatly appreciate any help I can get. Thanks.

Saved

:

ASA Version 8.3(2)

!

hostname SITE

enable password XXXXXX

passwd XXXXXX

names

name 255.255.255.255 Gateway

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 202.5.170.134 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone PGT 10

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 202.5.191.130

name-server 202.5.191.160

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 192.168.10.201

host 192.168.10.201

object service RDP

service tcp source eq 3389 destination eq 3389

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network canberra

subnet 10.10.0.0 255.255.0.0

object network Gateway

host 202.5.170.133

object network goroka-rdp

host 192.168.10.201

object network Canberra_DMZ

subnet 192.168.2.0 255.255.255.0

object network melbourne

subnet 10.0.0.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object Canberra_DMZ

network-object object canberra

network-object object melbourne

object-group service DM_INLINE_SERVICE_1

service-object object RDP

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq smtp

service-object udp destination eq domain

service-object udp destination eq nameserver

service-object tcp destination eq citrix-ica

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object object RDP

service-object tcp destination eq citrix-ica

service-object tcp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_3

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq ntp

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

object-group service DM_INLINE_SERVICE_4

service-object tcp destination eq domain

service-object udp destination eq domain

service-object udp destination eq nameserver

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object NETWORK_OBJ_192.168.10.0_24 any log inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 192.168.10.207 any log

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 host 192.168.10.4 any log

access-list inside_access_in extended permit tcp object NETWORK_OBJ_192.168.10.0_24 host 119.225.105.52 eq https log

access-list inside_access_in extended permit udp object NETWORK_OBJ_192.168.10.0_24 any eq ntp log

access-list outside_access_in extended permit tcp any host 192.168.10.201 eq 3389

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any inactive

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object NETWORK_OBJ_192.168.10.0_24 log inactive

!

tcp-map WSOptions

tcp-options range 24 31 allow

!

pager lines 24

logging enable

logging asdm notifications

flow-export destination inside 192.168.10.207 2055

flow-export template timeout-rate 1

flow-export delay flow-create 15

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-633.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static canberra canberra

!

object network goroka-rdp

nat (inside,outside) static interface service tcp 3389 3389

!

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_192.168.10.0_24 interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

http server enable

http server idle-timeout 240

http 192.168.10.0 255.255.255.0 inside

http 119.225.35.38 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 119.225.35.38

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 240

ssh timeout 60

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 150.203.1.10 source outside

webvpn

username

tunnel-group 119.225.35.38 type ipsec-l2l

tunnel-group 119.225.35.38 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 5

!

class-map WSOptions-class

match any

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map WSOptions

class WSOptions-class

set connection advanced-options WSOptions

policy-map global_policy

class WSOptions-class

set connection advanced-options WSOptions

class class-default

flow-export event-type all destination 192.168.10.207

!

service-policy global_policy global

prompt hostname context

hpm topN enable

Cryptochecksum:

: end

asdm image disk0:/asdm-633.bin

no asdm history enable

Julio Carvajal · ‎11-30-2011

Hello John,

It is a pleasure to help.

Please mark the question as answered for future users with similar issues.

Have a great night.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎11-29-2011

Hello John,

Can you add the following line on the ACL:

access-list inside_access_in line 1 permit tcp any any eq ftp

Then can you provide the following output for me:

Show run policy-map.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

fb_webuser · ‎11-30-2011

Hello John,

Try this:

Add access list to allow inbound ftp traffic and ftp data traffic:

access-list ftp_access line 1 permit tcp any host 192.168.10.202 eq ftp

access-list ftp_access line 2 permit tcp any host 192.168.10.202 eq ftp-data

access-group ftp_access in interface outside

Create object groups to define hosts:

object network Translated_IP

host (Ip address to which you need to translate)

object network local_lan_server

Configure manual NAT:

nat (inside,outside) source static Translated_IP local_lan_server

Configure ftp inspect:

policy-map global_policy

class inspection_default

inspect ftp

service-policy global_policy global

Hope this helps

---

Posted by WebUser Sooraj Prasad

john-little · ‎11-30-2011

Thanks both of you guys for the responses. I actually used ASDM to add a network object and then added a rule and it appears to be working...my antivirus updates are as we speak downloading to my server.

Again really appreciate you guys helping out.

John

Julio Carvajal · ‎11-30-2011

Hello John,

It is a pleasure to help.

Please mark the question as answered for future users with similar issues.

Have a great night.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC