Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
9
Replies

ASA and FTP help

Go to solution
jonesl1
Level 1
Level 1

‎07-13-2010 05:37 AM - edited ‎03-11-2019 11:10 AM

Ok....I'm feeling a little less intelligent everyday.   So I am struggling trying to figure out why I'm unable to assign rules on my ASA

that will allow me to FTP from the DMZ side of my ASA to the Inside.   Let me explain my situation

ASA 5520

    Inside interface -  security level 100

    Outside Interface - security level 0

    DMZ - security level 40

I am trying to initiate an FTP request from the DMZ side of the firewall to the Inside.   I am using a Passive FTP type.    Here is what

i've done to this point.

I have declared a static nat translation for the destination workstation (the one on the inside).  I've actually opened up the DMZ ACL to allow my DMZ

subnet to permit IP any to any.   This, I would think, should take care of any inbound FTP attempt.  I have also allowed on the inside ACL for the inside workstation to talk to the DMZ subnet via IP.   So basically this is what it looks like:

                            

                             INSIDE                                 DMZ

               X -------------------------------------<>-------------------------------------X

       10.10.10.100                            ASA                              192.168.1.200

static (INSIDE,DMZ)   192.168.253.10   10.10.10.100 netmask 255.255.255.255

I initiate my FTP and point it to the 192.168.253.10 address so that it goes to 10.10.10.100.   From the log, it seems like the workstation is receiving

the first SYN packet with a destination of port 21, but unfortunately.....I can't get it to do anything past that.   It's building connections coming inbound, but for some reason it will not allow me to see the folders or whatnot on 10.10.10.100. 

I'm assuming this is all I pretty much need for FTP as long as my access lists are allowing both ways, which they should be.  If someone can explain

what I'm missing, I'd greatly appreciate it.   I'm not quite sure what i'm missing, but it's about to give me a anneurism!  

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jonesl1

‎07-13-2010 07:24 AM

Hello,

Let us try to figure out where it is getting blocked. Can you put the

following captures on the firewall and get us the outputs?

Access-list cap permit ip host

Capture capin access-list cap interface inside

Capture capdmz access-list cap interface dmz

Once you configure above lines, run the test. Then collect the output of

"show capture capin" and "show capture capdmz". That should give us a good

idea of what is happening.

Regards,

NT

View solution in original post

0 Helpful
9 Replies 9

Go to solution
jonesl1
Level 1
Level 1

‎07-13-2010 05:39 AM

those 192.168.253.x's are supposed to be 192.168.1.x's......sorry...mistyped.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎07-13-2010 06:24 AM

Can you enable ftp inspection under the global policy map and see if it works?

To summarize, you need to open port 21 on DMZ, the static translation along with the inspection for passive FTP.

Or open all ports from dmz and the static translation for passive FTP.

I hope it helps.

PK

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-13-2010 06:49 AM

Hello,

Your symptoms indicate that the firewall is not participating in the FTP communication between the DMZ source and the inside destination. So, the firewall does not know the dynamic ports negotiated between those two devices. So, when you issue "dir" command on the DMZ side, the DMZ client tries to open a data channel but the firewall will block it. In order to fix it, as Pkampana said, you need to enable inspect FTP.

  1. Issue the policy-map global_policy command.

    ASAwAIP-CLI(config)#policy-map global_policy

  2. Issue the class inspection_default command.

    ASAwAIP-CLI(config-pmap)#class inspection_default

  3. Issue the inspect FTP command.

    ASAwAIP-CLI(config-pmap-c)#inspect FTP
  4. Apply the policy-map to the interface.

                    ASAwAIP-CLI(config)#service-policy global_policy global

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

Hope this helps.

Regards,

NT


0 Helpful

Go to solution
jonesl1
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-13-2010 07:08 AM

I'm afraid its already on

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
class IPS-class
  ips promiscuous fail-open
!
service-policy global_policy global

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jonesl1

‎07-13-2010 07:24 AM

Hello,

Let us try to figure out where it is getting blocked. Can you put the

following captures on the firewall and get us the outputs?

Access-list cap permit ip host

Capture capin access-list cap interface inside

Capture capdmz access-list cap interface dmz

Once you configure above lines, run the test. Then collect the output of

"show capture capin" and "show capture capdmz". That should give us a good

idea of what is happening.

Regards,

NT

0 Helpful

Go to solution
jonesl1
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-13-2010 08:14 AM

Ok...got your captures ran and this was my return information:

Results from Show capture capin

   1: 02:33:25.407037 192.168.1.200.1588 > 10.10.10.100.21: S 1153469170:1153 469170(0) win 64512
   2: 02:33:28.313704 192.168.1.200.1588 > 10.10.10.100.21: S 1153469170:1153 469170(0) win 64512
   3: 02:33:34.329435 192.168.1.200.1588 > 10.10.10.100.21: S 1153469170:1153 469170(0) win 64512
3 packets shown

Results from Show capture capdmz
  
  1: 02:33:25.406793 192.168.1.200.1588 > 192.168.1.10.21: S 3428421332:34 28421332(0) win 64512
  2: 02:33:28.313643 192.168.1.200.1588 > 192.168.1.10.21: S 3428421332:34 28421332(0) win 64512
  3: 02:33:34.329374 192.168.1.200.1588 > 192.168.1.10.21: S 3428421332:34 28421332(0) win 64512
3 packets shown

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jonesl1

‎07-13-2010 08:35 AM

Hello,

OK, from the captures I see that we are seeing unidirectional traffic. Nothing is coming back from the server. It could be due to two issues. One, the server is listening on a different port. Second, the default gateway of the server is different than the firewall. Can you please verify the default gateway of the server and also make sure that the server is listening on port 21 (Check the firewall on the server as well).

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
jonesl1
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-13-2010 09:37 AM

Ok....got it figured out.   Your awesome NT.   Thanks for holding my hand through the troubleshooting.   I think I'm going to go ahead and hang myself from the nearest tree though as my stupidity is obviously taking over my brain.  

Turns out, my windows firewall on my workstation got turned on and was blocking the ftp request.    Ya, I know....I should probably be banned from the forum out of sheer embarassment.

Sorry for taking up your time, but I dont think I would have been able to figure it out without your troubleshooting methods.   Thanks again to each of you that posted.

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jonesl1

‎07-13-2010 09:55 AM

Hello,

Glad that the issue is fixed. It does happen to all of us sometimes. We do

miss out things that are trivial :).

Regards,

NT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card