Please be gentle with me as I'm still learning Cisco
I'm trying to configure our Cisco ASA 5505 to allow Active mode FTP connections through. We have a user that uses some bespoke software that connects to a client via FTP in active mode.
When using the packet tracer. The packets fail by the DENY implicit incoming Rule (please see below). This rule looks as though it cannot be editted although as seen in my screen shot there are 2 rules very similiar?
inspect FTP is enabled and always has been enabled.
Seems according to the above picture that your might be entering wrong information to the "packet-tracer". The Output/Input interface both should NOT be "inside"
If we were to believe the output then it would mean that both the user and the destination server was behind the same interface on the ASA?
Is there a chance to see your firewall configuration in CLI format wihtout any public IP addresses or other sensitive information? This would be the best way for me personally atleast to check any problems with the configurations.
Thanks for the reply. Could you confirm the best command to run to confirm this? Show running-config would display all my infomation so is there something that would be better suited?
If you are testing outbound FTP connection from your LAN then you should use the following information
This is because the connection initiation for the FTP Control connection (TCP/21) will naturally come from the LAN which is behind the "inside" interface. And the source IP address is naturally the local IP address and the destination IP address the public IP address.
Ports you can leave as they are.
Ok, results below say that is sucesfully connected. However, the issue still persists
whats the best command to show my firewall config?
Thanks for your help
Just testing a through filezilla i am getting this error message:
Status: Connection established, waiting for welcome message...
Response: 550 No connections allowed from your IP
Error: Critical error
Error: Could not connect to server
Where as through windows explorer it acts as though my credentials are incorrect (although i know they arent as i have tested in a different enviroment)
Config attached and removed any public IP's.
ASA Version 8.2(5)
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
name 192.168.0.73 Metalfab-IT
name 192.168.0.5 W01DC01
name 192.168.0.9 vWorkspace-Broker
name 192.168.0.12 W07DC02
name 192.168.1.18 CMVDI
switchport access vlan 2
ip address 192.168.0.1 255.255.0.0
ip address 85.13.xxx.xxx 255.255.255.240
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 8080
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3389
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3390
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3391
access-list outside_access_in extended permit tcp any host 85.13.xxx.xxx eq 3399
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0
access-list Split_Tunnel standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPsecVPN 192.168.0.40-192.168.0.45 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https vWorkspace-Broker https netmask 255.255.255.255
static (inside,outside) tcp interface www vWorkspace-Broker www netmask 255.255.255.255
static (inside,outside) tcp interface 444 vWorkspace-Broker 444 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 vWorkspace-Broker 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Metalfab-IT 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 W01DC01 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 W07DC02 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3399 CMVDI 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 85.13.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp policy 20
crypto isakmp policy 30
crypto isakmp policy 40
crypto isakmp policy 50
crypto isakmp policy 60
crypto isakmp policy 70
crypto isakmp policy 80
crypto isakmp policy 90
crypto isakmp policy 100
crypto isakmp policy 110
crypto isakmp policy 120
crypto isakmp policy 130
crypto isakmp policy 140
crypto isakmp policy 150
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy DfltGrpPolicy attributes
dns-server value 18.104.22.168
default-domain value cloud.local
group-policy admin internal
group-policy admin attributes
dns-server value 192.168.0.5 192.168.0.12
split-tunnel-network-list value Split_Tunnel
default-domain value cloud.local
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (inside) LOCAL
authorization-server-group (inside) LOCAL
tunnel-group admin type remote-access
tunnel-group admin general-attributes
tunnel-group admin ipsec-attributes
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
To be honest if the "packet-tracer" that the intial control connection for the FTP goes through and gets translated and you have FTP Inspection enabled then that should be it for the ASA.
I would consider that the actual problem is on the remote end.
To me the above connection messages seem to indicate that the FTP connection (TCP/21) is formed but the server ends up rejecting it because of some local setting/rule.
So it would seem to me to be more of a problem on the server side.
Maybe the connections formed to this FTP server are limited according to the source IP address? Perhaps the remote end that manages the server have not done something they should.
Naturally as a "final" step you can always capture all traffic from a single connection attempt and those should show you exactly what is exchanged between the client and the server.
Thanks very much.
I did suspect this to start with however I wanted to explorer every other avenue before contacting the remote end. I will check with wireshark to get a definitive answer.
You can also take a capture on the ASA. I guess that is easy to do on the ASDM side.
Naturally when your on the actual host its probably easier just to take the capture there
I guess the capture on the ASA might be usefull in situation where you dont have access to an actual host on the site and are not at the site and want to remotely take the capture from the ASA.
Let me know if you want an example configuration/commands to capture on the ASA.
I tend to use it a lot and I can easily copy the files to my local computer and open them with wireshark.
Well in this case since we have a single destination host and can define a specific internal host for the connection also we could just configure the ASA to capture all TCP traffic between the hosts.
First we configure an ACL that tells the ASA what traffic should be captured
access-list FTP-CAP permit tcp host
access-list FTP-CAP permit tcp host
We define the ACL so that it defines both direction of the traffic. Option would be to copy 2 captures. One for each direction. This might be usefull if there is going to be a large amount of traffic as the ASA per capture buffer is capped near 35MB.
Then we use the actual "capture" command
capture FTP-CAP access-list FTP-CAP interface inside buffer 3350000 circular-buffer
In the above comamnd we define the following
The capture configuration above wont show up in the configurations.
One important thing to consider when configuring the ACL is that depending on which interface you take the capture you might have to change the IP address. In this case since we use the local interface the ASA will see the original host IP address. If you were to take the capture from the external interface of the ASA you would have to change the local IP address to the hosts public NAT IP address. And if that NAT IP address is a shared PAT IP it would potentially capture a lot of traffic from others hosts (this is why I used the internal interface/ip in this example)
You can view all the captures and if they have captured any data with command
You can view the contents of a particular capture by adding the capture name to the command
show capture FTP-CAP
I dont use this much except for simple captures.
To copy the capture a host with TFTP use the following command
copy /pcap capture:FTP-CAP tftp://x.x.x.x/FTP-CAP.pcap
To remove the capture and its data use
no capture FTP-CAP
You will have to remove the ACL separately
Hope this helps
Please let us know when you hear back from the remote end.
Awesome command/trick you've got!
Do you happen to create a CSC doc for this? :)
Sent from Cisco Technical Support iPhone App
There is one older document made here on CSC regarding captures
Though naturally that doesnt stop from making my own.
I would still have a lot to add my NAT document on the CSC but just can't seem to find the correct time/moment to go into that. Maybe its because I work all day and then go home and start replying to posts on the CSC I must be mad
Yeah saw that one earlier and I understand what you mean. Look at me still checking CSC on my iphone :)
It would be cool though if you can create one coz your line of thought is much better.
Sent from Cisco Technical Support iPhone App
it seems that there was a connection issue between our client and the Remote FTP server. This has been resolved now however active mode still will not connect through.
If I was to strip out some logs and PM to you would you be able to cast your eye over them? I'm not entirely sure what I am looking for? I'm still convinced that there is a issue at the remote server side; however I need to be 100% sure before i can hand it back to them
Thanks for your help with this.
Sure, you can send the logs. Though generally I troubleshoot FTP related issues with traffic captures. And even in those situations there is usually different people that work with the actual clients and servers when I provide the information on what I see in the logs and captures
I've just found a configuration fault within the software being used. I'm just waiting on someone to test the changes I have made. Should hopefully the resolve the issue.
I will keep you updated. I'll be furious if this resolves things after everything we've gone through!