03-11-2014 06:47 AM - edited 03-11-2019 08:55 PM
I inherited an issue on a production firewall, pertaining to a new FTP rule they put in. The config is a bit out of order from what I’d normally do, I’m guessing due to being put in by GUI and not CLI. Here is what is pertaining to the FTP, I believe:
object network XXXXX
host In.ter.nal.IP
Creating the FTP service group:
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
Granting Server access to the service:
access-list INTERNET extended permit tcp any object XXXXX object-group DM_INLINE_TCP_1
Creating a 1:1 NAT for Server:
object network XXXXX
nat (inside,outside) static Ex.ter.nal.IP
And granting the INTERNET access list access to the outside connection:
access-group INTERNET in interface outside
Then the parts pertaining to passive FTP are here:
policy-map global_policy
class inspection_default
inspect ftp
ftp mode passive
So I can hit it active, but not passive. Passive fails to connect the data stream on whatever port it requests it from. Suggestions?
03-11-2014 07:50 AM
The command "ftp mode passive" doesn't relate to your problem. It's for the ASA being the FTP-client.
In the service-object-group, you don't need ftp-data. With a correct config, the data-port will be allowed dynamically.
So, why doesn't it work. My first assumption would be that you have not applied the policy-map to the ASA:
service-policy global_policy global
03-11-2014 08:27 AM
service-policy global_policy global is in there, sadly. Sorry, I should have posted that as well...
I'm unfamiliar with what ftp-data even does; I've never used it before.
My other thought is that I have this:
access-group INTERNET in interface outside
but no inbound listed of any kind. Typically, this firewall was mainly used for web servers, so I'm thinking there is the potential that no inbound was ever configured. Then again, I can get in on Active FTP.
The interfaces show this:
interface Ethernet0/0
description Internet Interface
nameif outside
security-level 0
ip address Ex.ter.nal.IP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address In.ter.nal.IP 255.255.255.0
Thoughts?
Am I on the right track?
03-11-2014 09:55 AM
03-11-2014 10:17 AM
Right now, I only have the config to work with, but both passive and active work inside the firewall, so it's not a server issue.
I feel like maybe it is the service group DM_INLINE_TCP_1. As you said, ftp-data is not needed, so we could feesably ditch the object group all together and instead do a line like:
access-list INTERNET permit tcp any object SERVERNAME eq ftp
03-12-2014 12:46 AM
> access-list INTERNET permit tcp any object SERVERNAME eq ftp
yes, that's all that is needed for access-control to the server.
03-12-2014 06:57 AM
OK, so I deleted the DM_INLINE_TCP_1 from the ACL, removed the service group, then added:
access-list INTERNET permit tcp any object SERVERNAME eq ftp
Same result as before, I can get in active, but not passive. I'm really stumped...
They are running version 8.4 (2), are there known issues with FTP?
Additionally, they want to run SSL for the username and password, but not for the data connection...any thoughts on that?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: