Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 FTP/FTP PASSIF

hello world

i'm trying to let users inside to use ftp protcols on outside servers

but no matter

any one could help me to find the way thanks !!!

5 REPLIES
Cisco Employee

Re: ASA 5520 FTP/FTP PASSIF

1) Does it use normal FTP ie: TCP/21 for control connection?

2) When does the connection fail? Does authentication work - control connection? and data fails? or both fails?

3) Do you have "inspect ftp" configured on the global policy on the ASA?

4) Assuming you have ACL on the inside interface, have you allowed TCP/21 through?

Community Member

Re: ASA 5520 FTP/FTP PASSIF

thanks for your help

from a wget ftp://xxxxxxx/xxxxx.tar.gz  PASV Don't pass

Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /xxxxxxx ... done.
==> SIZE xxxxx.tar.gz ... 6687842
==> PASV ... couldn't connect to xxxxxx port 55107: Connection timed out
Retrying.

i began to configure inspection map but no change ...

Cisco Employee

Re: ASA 5520 FTP/FTP PASSIF

Can you check the logs "sh logg | i ip address" to see what is dropped?

It seems you are using pasive mode.

I would suggest checking the interface ACL where the client is connected to. And keep the "inspect ftp" in the policy map.

I  hope it helps to move this forward.

PK

Community Member

Re: ASA 5520 FTP/FTP PASSIF

no things appears with the log CMD : sho log | ip xxx.xxx.xxx.xxx

with ethier the the source or destination @ddr

i created 2 policies rules matching FTP an FTP-DATA from my NIC

i put accept in my NIC IN ACCESS LIST for FTP and FTP-DATA

and no things happen ?? still stop @ passif negociation PASV ...

if i open the range TCP 1024-65535 in my NIC IN ACCESS LIST THAT'S OK

but i don't want it to be opened, so that i can't know the state of the connection if it's an NEW RELATED OR ESTABLISHED

thank's for your interest

Cisco Employee

Re: ASA 5520 FTP/FTP PASSIF

Don't configure FTP inspection for both FTP control and FTP data. You should only configure FTP inspection for FTP control.

If you are using the standard FTP control port, ie: TCP/21, then you do not need to configure any ACL to match the traffic. Just configure it under the default inspection.

After the above changes, please test again, and if it still doesn't work, please post the following:

sh run policy-map

sh run service-policy

sh service-policy

Also, what version of ASA are you running?

421
Views
0
Helpful
5
Replies
CreatePlease to create content