ASA 9.1 - Passive FTP

Network.Support · ‎12-31-2013

ASA 5525

Version 9.1(2)

We have an ftp server that I've set the passive ports to a specific range (10000-11000) when the ftp server hands the packet off to the ASA the PASV command gives local address, and port within range specfieid. The asa hands the packet out with public address (a good thing) and changes the port to random one > 1024 (bad thing)

E.G (ip's changed, all else as seen in capture)

(ingress packet) from ftp server into ASA, giving out port 10022-good

35 1.051115 192.168.1.225 75.252.75.231 FTP 101 Response: 227 Entering Passive Mode (192,168,1,225,39,38)

(egress packet)PASV command to show public IP, and changes port to 16185-bad

36 1.051176 4.4.4.165 75.252.75.231 FTP 104 Response: 227 Entering Passive Mode (4,4,4,165,63,57).

Is it possible to change the ftp inspection so that it will leave the port as is instead of choosing a random one? For various reasons, I need to nat the other high level ports differently.

Thanks,

fb_webuser · ‎01-01-2014

will this help probably?

https://supportforums.cisco.com/thread/2166619

---

Posted by WebUser Erik Boss from Cisco Support Community App

Network.Support · ‎01-02-2014

Thanks for the response, I checked that and I believe that's for if you use a non standard control port. We are using 21 for control port so need to leave it inspecting 21.

Jouni Forss · ‎01-02-2014

Hi,

Are you saying that the when the Client connects to the FTP server and the server replies to the Client to inform of the actual Data port the ASA changes that port so that its no more from the range 10000-11000?

Sadly I have not had to troubleshoot FTP that many times. Usually its been a problem either on the Client or Server end rather than the ASA. Once I have had problems with Active FTP through an ASA running 8.4(1) because of a bug related to the multicore models of ASAs but nothing like you are describing.

If the ASA is truly sending wrong port information to the Client then I am not sure if that can be changed with a configuration? Seems to me more like a bug? Though again I have to say that I have not had to troubleshoot FTP that often. Most of the time the ASA has handled all FTP traffic just fine without any special modifications to the configurations.

I was originally thinking that this could be corrected simply by creating translations for the source ports that the FTP server uses for the actual Data connections but if the problem is that the Client will connect to the wrong port then that wont help with the problem at all.

Have you considered trying with some other software level?

Do you have any additional ASA equipment that could be used to lab/test this problem with different software levels?

- Jouni

Network.Support · ‎01-02-2014

Are you saying that the when the Client connects to the FTP server and the server replies to the Client to inform of the actual Data port the ASA changes that port so that its no more from the range 10000-11000?

Yes, this is what's happening. The ASA is looking at the PASV command from server, then changes the port before passing along to client.

It's almost like the ASA is adding a temporary PAT for the inside port to a random outside port, and changing the packet with the PASV ftp command to match the new outside port.

Active is working fine, but some of our customers refuse to make changes on thier end and have it setup to transfer files through Passive FTP. If it was my choice they'd all be on SFTP.

Julio Carvajal · ‎01-03-2014

Hello Travis,

Does not make any sense.

Can you provide us the NAT configuration you have for the FTP server?

Also do you have captures available when the issue happens from both inside and outside interface that you can attacth to this discussion

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Network.Support · ‎01-03-2014

I agree, it's not making sense to me either. I've attached a merged capture file showing the FTP packets. I also attached a screen shot showing the two where it passes the PASV command. Line 27 is Server to inside interface, line 28 is outside interface to client. You can see where the ASA is changing the PASV command.

Thanks,

Julio Carvajal · ‎01-03-2014

Hello,

I am still missing the ASA configuration.

Can you share that?

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cciesec2011 · ‎01-04-2014

I am not using version 8.0(4) on Pix firewall and I am not seeing this issue. It might be a bug in version 9.1

have you tried something like this:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255 norandomseq nailed

Basically it tells the ASA not to randomize the tcp sequence.

Jake Sullivan · ‎08-19-2016

Non standard passive ftp.

access-list FTP-LIST extended permit tcp any any range 10021 10022
access-list FTP-LIST extended permit tcp any any range 50000 50019

class-map FTP-CLASS
match access-list FTP-LIST

policy-map global_policy
class FTP-CLASS
inspect ftp

This did not effect the original "inpsect ftp" under the default policy ex:
"policy-map global_policy
class inspection_default
inspect ftp"

sho service-policy inspect ftp
Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 1764569221, lock fail 0, drop 0, reset-drop 5585, v6-fail-close 0
    Class-map: FTP-CLASS
      Inspect: ftp, packet 184, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

HTH anyone doing the search i was.