ASA 5510 not working passive FTP, Active works, help!

dustin.kinn · ‎03-11-2014

I inherited an issue on a production firewall, pertaining to a new FTP rule they put in. The config is a bit out of order from what I’d normally do, I’m guessing due to being put in by GUI and not CLI. Here is what is pertaining to the FTP, I believe:

object network XXXXX

host In.ter.nal.IP

Creating the FTP service group:

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

Granting Server access to the service:

access-list INTERNET extended permit tcp any object XXXXX object-group DM_INLINE_TCP_1

Creating a 1:1 NAT for Server:

object network XXXXX

nat (inside,outside) static Ex.ter.nal.IP

And granting the INTERNET access list access to the outside connection:

access-group INTERNET in interface outside

Then the parts pertaining to passive FTP are here:

policy-map global_policy

class inspection_default

inspect ftp

ftp mode passive

So I can hit it active, but not passive. Passive fails to connect the data stream on whatever port it requests it from. Suggestions?

Karsten Iwen · ‎03-11-2014

The command "ftp mode passive" doesn't relate to your problem. It's for the ASA being the FTP-client.

In the service-object-group, you don't need ftp-data. With a correct config, the data-port will be allowed dynamically.

So, why doesn't it work. My first assumption would be that you have not applied the policy-map to the ASA:

service-policy global_policy global

dustin.kinn · ‎03-11-2014

service-policy global_policy global is in there, sadly. Sorry, I should have posted that as well...

I'm unfamiliar with what ftp-data even does; I've never used it before.

My other thought is that I have this:

access-group INTERNET in interface outside

but no inbound listed of any kind. Typically, this firewall was mainly used for web servers, so I'm thinking there is the potential that no inbound was ever configured. Then again, I can get in on Active FTP.

The interfaces show this:

interface Ethernet0/0
description Internet Interface
nameif outside
security-level 0
ip address Ex.ter.nal.IP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address In.ter.nal.IP 255.255.255.0

Thoughts?

Am I on the right track?

Karsten Iwen · ‎03-11-2014

what is the output of "sh service-policy inspect ftp"?
Is passive FTP working when the client is also on the inside?

dustin.kinn · ‎03-11-2014

Right now, I only have the config to work with, but both passive and active work inside the firewall, so it's not a server issue.

I feel like maybe it is the service group DM_INLINE_TCP_1. As you said, ftp-data is not needed, so we could feesably ditch the object group all together and instead do a line like:

access-list INTERNET permit tcp any object SERVERNAME eq ftp

Karsten Iwen · ‎03-12-2014

> access-list INTERNET permit tcp any object SERVERNAME eq ftp

yes, that's all that is needed for access-control to the server.

dustin.kinn · ‎03-12-2014

OK, so I deleted the DM_INLINE_TCP_1 from the ACL, removed the service group, then added:

access-list INTERNET permit tcp any object SERVERNAME eq ftp

Same result as before, I can get in active, but not passive. I'm really stumped...

They are running version 8.4 (2), are there known issues with FTP?

Additionally, they want to run SSL for the username and password, but not for the data connection...any thoughts on that?