Can not connect to Cerberus FTP Server with PASV

Unanswered Question
May 2nd, 2012

I setup a FTP Server and i can connect from the inside fine but from the outside i can not connect in passive mode. I can in regular ftp or ssh.

Here is the log from filezilla

Status:          Resolving address of domain.com

Status:          Connecting to ExternalIP:990...

Status:          Connection established, initializing TLS...

Status:          Verifying certificate...

Status:          TLS/SSL connection established, waiting for welcome message...

Response:          220-220-Welcome to Cerberus FTP Server

Response:          220 220 Created by Cerberus, LLC

Command:          USER test

Response:          331 User test, password please

Command:          PASS ***********

Response:          230 Password Ok, User logged in

Command:          CLNT FileZilla

Response:          200 Command okay

Command:          OPTS UTF8 ON

Response:          220 UTF8 support on

Command:          PBSZ 0

Response:          200 PBSZ=0

Command:          PROT P

Response:          200 PROT P OK, data channel will be secured

Status:          Connected

Status:          Retrieving directory listing...

Command:          PWD

Response:          257 "/" is the current directory

Command:          TYPE I

Response:          200 Type Binary

Command:          PASV

Response:          227 Entering Passive Mode (external IP,195,83)

Command:          MLSD

Error:          Connection timed out

Error:          Failed to retrieve directory listing

Result of the command: "show running-config"

: Saved

:

ASA Version 8.0(4)

!

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group att

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object-group service RDP tcp

description RDP

port-object eq 3389

object-group service FTP_PASV_Ports tcp

description Passive Ports

port-object range 35000 35999

object-group service FTPS tcp

description FTPS

port-object eq 990

access-list outside_access_in extended permit tcp any any object-group RDP

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit tcp any any eq telnet

access-list outside_access_in extended permit tcp any any eq smtp

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit tcp any any eq pop3

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in remark passive FTP port range

access-list outside_access_in extended permit tcp any host server object-group FTP_PASV_Ports

access-list outside_access_in extended permit tcp any any eq ssh

access-list outside_access_in extended permit tcp any any object-group FTPS

access-list outside_access_in extended permit tcp any any eq ftp-data

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1492

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www server www netmask 255.255.255.255

static (inside,outside) tcp interface https server https netmask 255.255.255.255

static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255

static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255

static (inside,outside) tcp interface pop3 server pop3 netmask 255.255.255.255

static (inside,outside) tcp interface ftp server ftp netmask 255.255.255.255

static (inside,outside) tcp interface ssh server ssh netmask 255.255.255.255

static (inside,outside) tcp interface 990 server 990 netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data server ftp-data netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group att request dialout pppoe

vpdn group att localname @static.sbcglobal.net

vpdn group att ppp authentication pap

vpdn username @static.sbcglobal.net password *********

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password rcuFiQnIXLd encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ecb5356a2f5e680b

: end

I am programing the router with ASDM so if you could tell me what i need to do from the GUI to fix this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mayrojas Wed, 05/02/2012 - 19:52

Dan,

Looking at the output,

Status:          Resolving address of domain.com

Status:          Connecting to ExternalIP:990...

Status:          Connection established, initializing TLS...

Status:          Verifying certificate...

Status:          TLS/SSL connection established, waiting for welcome message...

This looks like FTPS which is not supported on the ASA. You can workaround it by trying to connect using Active mode from the outside instead of PSV.

You can find more info here:

https://supportforums.cisco.com/docs/DOC-23206

Mike

valcon5455 Mon, 05/07/2012 - 09:49

i opened ftp-data port 20 and same issue even if i setup filezilla client to connect via active mode. Any other suggestions. I can only connect to regular FTP or SSH but i would  like to connect via FTPS

mayrojas Mon, 05/07/2012 - 16:33

Can you place a capture on the server itself when trying to connect on active mode?

Mike

valcon5455 Tue, 05/08/2012 - 08:50

what should i put in the capture filter or should i capture everything?

mayrojas Tue, 05/08/2012 - 08:55

Dan,

Port 20 between the server and client will do it.

Mike

Actions

Login or Register to take actions

This Discussion

Posted May 2, 2012 at 1:37 PM
Stats:
Replies:5 Avg. Rating:
Views:1810 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446