02-24-2007 01:49 AM - edited 03-11-2019 02:38 AM
Hi,
configured ASA for allowing ftp requests to my ftp server residing behind the ASA,problem is when a internet client is doing ftp to the ftp server, he can able to connect, but he can't able to transfer the files after few seconds i get a message displaying "connection closed by remote host" how do i solve this? problem also happens when i issue DIR or LS command after logging in to the ftp server.
02-24-2007 04:13 AM
It seems that you done have FTP inspection enabled on your ASA. Assuming that you are using default settings, please implement following commands on ASA-
(all commands are to be executed in config mode)
class-map inspection_default
match default-inspection-traffic
exit
policy-map global_policy
class inspection_default
inspect ftp
exit
exit
service-policy global_policy global
Now check if FTP works. If it does, save the configuration. If the issue remains, please provide the output for-
show service-policy
show run policy-map
If possible, syslogs.
Regards,
Vibhor
02-24-2007 06:23 AM
NO Use, it didn't work, still the same probs.
02-24-2007 07:14 AM
Take a look here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
Hope it helps...
Jay
02-24-2007 08:56 AM
Hi Thanks for your response,
actually i was trying from windows xp/2000 laptop, that is the reason i was facing this probs, when i tried in a BSd box it works fine being a "passive ftp" is enabled default. but still i couldn't understand why in windows xp/2000 i couldn't find the "passive" command. any idea? i was also informed by 1 of my friend that in windows box, if i issue "litral passive" he said that it would allow, but no use of that command, as it said it is invalid command.
02-24-2007 12:37 PM
In Unix/Linux, after ftp logging, you can issue
the command "passive" to either turn on or turn
off passive ftp as below:
# cd /tmp
# ftp 192.168.15.10
Connected to 192.168.15.10.
220 (vsFTPd 1.2.0)
Name (192.168.15.10:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Switching to Binary mode.
ftp> prompt
Interactive mode off.
ftp> hash
Hash mark printing on (8192 bytes/hash mark).
ftp> passive
Passive mode on.
ftp> passive
Passive mode off.
ftp>
-------------------
On Microsoft Windows, it works a differently.
After logging in, you can issue the command
"literal pasv". That will take you to
passive mode.
C:\temp>ftp 192.168.15.10
Connected to 192.168.15.10.
220 (vsFTPd 1.2.0)
User (192.168.15.10:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> bin
200 Switching to Binary mode.
ftp> prompt
Interactive mode Off .
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> literal pasv
227 Entering Passive Mode (192,168,15,10,4,253)
ftp>
good luck
David
CCIE Security
02-25-2007 03:25 AM
Hi David,
thanks for your response, even i tried the same & the command also accepted, but still the same probz, but when i tried ina GUI ftp client it is working being an Passive FTP. but no idea still why it is not working.
02-25-2007 06:31 AM
hi anandanarayana,
I think it is a bug in windows ftp client itself. When you think you set the windows
ftp client from the CLI to passive ftp, it is
still doing "Active" ftp. Check out the
tcpdump below from Linux FTP server itself:
--------------
C:\temp>ftp 192.168.15.10
Connected to 192.168.15.10.
220 (vsFTPd 1.2.0)
User (192.168.15.10:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> bin
200 Switching to Binary mode.
ftp> prompt
Interactive mode Off .
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> literal pasv
227 Entering Passive Mode (192,168,15,10,5,50)
ftp> get Winkey.exe
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Winkey.exe (43520 bytes).
#####################
226 File send OK.
ftp: 43520 bytes received in 0.00Seconds 43520000.00Kbytes/sec.
ftp> quit
221 Goodbye.
C:\temp>
--------------------
[root@dca2-LinuxES ftp]# tcpdump -i eth0 -n host 129.174.1.13
tcpdump: listening on eth0
10:26:58.104416 129.174.1.13.2668 > 192.168.15.10.ftp: S 1268059330:1268059330(0) win 64512
10:26:58.104540 192.168.15.10.ftp > 129.174.1.13.2668: S 2901538155:2901538155(0) ack 1268059331 win 5840
10:26:58.105335 129.174.1.13.2668 > 192.168.15.10.ftp: . ack 1 win 64512 (DF)
10:26:58.109962 192.168.15.10.ftp > 129.174.1.13.2668: P 1:21(20) ack 1 win 5840 (DF)
10:27:09.185283 129.174.1.13.2668 > 192.168.15.10.ftp: P 65:82(17) ack 208 win 64305 (DF)
10:27:09.185748 192.168.15.10.ftp-data > 129.174.1.13.2670: S 2914151128:2914151128(0) win 5840
10:27:09.186629 129.174.1.13.2670 > 192.168.15.10.ftp-data: S 3044473740:3044473740(0) ack 2914151129 win 64512
10:27:09.186702 192.168.15.10.ftp-data > 129.174.1.13.2670: . ack 1 win 5840
10:27:09.186928 192.168.15.10.ftp > 129.174.1.13.2668: P 208:279(71) ack 82 win 5840 (DF)
10:27:09.187040 192.168.15.10.ftp-data > 129.174.1.13.2670: . 1:1449(1448) ack 1 win 5840
10:27:09.187072 192.168.15.10.ftp-data > 129.174.1.13.2670: . 1449:2897(1448) ack 1 win 5840
10:27:09.187124 192.168.15.10.ftp-data > 129.174.1.13.2670: . 2897:4345(1448) ack 1 win 5840
10:27:09.187931 129.174.1.13.2670 > 192.168.15.10.ftp-data: . ack 2897 win 64512
10:27:09.187965 192.168.15.10.ftp-data > 129.174.1.13.2670: . 4345:5793(1448) ack 1 win 5840
10:27:09.187974 192.168.15.10.ftp-data > 129.174.1.13.2670: . 5793:7241(1448) ack 1 win 5840
10:27:09.187987 192.168.15.10.ftp-data > 129.174.1.13.2670: . 7241:8689(1448) ack 1 win 5840
10:27:09.188568 129.174.1.13.2670 > 192.168.15.10.ftp-data: . ack 5793 win 6451
10:27:11.555300 129.174.1.13.2668 > 192.168.15.10.ftp: P 82:88(6) ack 298 win 64215 (DF)
10:27:11.555817 192.168.15.10.ftp > 129.174.1.13.2668: P 298:312(14) ack 88 win 5840 (DF)
10:27:11.556957 129.174.1.13.2668 > 192.168.15.10.ftp: F 88:88(0) ack 312 win 64201 (DF)
10:27:11.557242 192.168.15.10.ftp > 129.174.1.13.2668: F 312:312(0) ack 89 win 5840 (DF)
10:27:11.557718 129.174.1.13.2668 > 192.168.15.10.ftp: . ack 313 win 64201 (DF)
82 packets received by filter
0 packets dropped by kernel
[root@dca2-LinuxES ftp]#
02-25-2007 06:40 AM
Hi David,
as u said it should be a bug in windows CUI ftp client, so i tried installing a 3rd party FTP client it works.
02-25-2007 06:51 AM
yes, third party clients such as WinSCP and
SecureFX works with passive ftp. It is just
Windows ftp client CLI that does not. As you can see, the client is transferring file with
the server with the server high-ports. No
port 20 is taken place anywhere. Therefore,
I think it is a bug in the microsoft ftp
client CLI itself. See below when I initiate
ftp client from a third party ftp client such
as SecureFX:
David
[root@dca2-LinuxES root]# tcpdump -i eth0 -n host 129.174.1.13
tcpdump: listening on eth0
10:48:53.228633 129.174.1.13.35375 > 192.168.15.10.ftp: S 538184680:538184680(0) win 49640
10:48:53.228753 192.168.15.10.ftp > 129.174.1.13.35375: S 4261832214:4261832214(0) ack 538184681 win 5840
10:48:53.229620 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 1 win 49640 (DF)
10:48:53.234096 192.168.15.10.ftp > 129.174.1.13.35375: P 1:21(20) ack 1 win 5840 (DF)
10:48:53.234565 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 21 win 49640 (DF)
10:48:53.255148 192.168.15.10.34391 > 129.174.1.13.domain: 64769+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)
10:48:53.256379 129.174.1.13.domain > 192.168.15.10.34391: 64769 1/4/2 (202) (DF)
10:48:56.791231 129.174.1.13.35375 > 192.168.15.10.ftp: P 1:17(16) ack 21 win 49640 (DF)
10:48:56.791310 192.168.15.10.ftp > 129.174.1.13.35375: . ack 17 win 5840 (DF)
10:48:56.791885 192.168.15.10.ftp > 129.174.1.13.35375: P 21:55(34) ack 17 win 5840 (DF)
10:48:57.030438 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 128 win 49640 (DF)
10:48:57.389484 129.174.1.13.35375 > 192.168.15.10.ftp: P 38:46(8) ack 128 win 49640 (DF)
10:48:57.389553 192.168.15.10.ftp > 129.174.1.13.35375: P 128:159(31) ack 46 win 5840 (DF)
10:48:57.480433 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 159 win 49640 (DF)
10:48:58.586925 192.168.15.10.34391 > 129.174.1.13.domain: 64770+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)
10:48:58.588275 129.174.1.13.domain > 192.168.15.10.34391: 64770 1/4/2 (202) (DF)
10:49:00.638756 192.168.15.10.34391 > 129.174.1.13.domain: 64771+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)
10:49:00.639900 129.174.1.13.domain > 192.168.15.10.34391: 64771 1/4/2 (202) (DF)
10:49:08.028007 129.174.1.13.35375 > 192.168.15.10.ftp: P 46:52(6) ack 159 win 49640 (DF)
10:49:08.028710 192.168.15.10.ftp > 129.174.1.13.35375: P 159:207(48) ack 52 win 5840 (DF)
10:49:08.029984 129.174.1.13.35376 > 192.168.15.10.1037: S 541876187:541876187(0) win 49640
10:49:08.030061 192.168.15.10.1037 > 129.174.1.13.35376: S 4267281440:4267281440(0) ack 541876188 win 5840
10:49:08.030793 129.174.1.13.35376 > 192.168.15.10.1037: . ack 1 win 49640 (DF)
10:49:08.030932 129.174.1.13.35375 > 192.168.15.10.ftp: P 52:69(17) ack 207 win 49640 (DF)
10:49:08.031158 192.168.15.10.ftp > 129.174.1.13.35375: P 207:278(71) ack 69 win 5840 (DF)
10:49:08.031255 192.168.15.10.1037 > 129.174.1.13.35376: . 1:1461(1460) ack 1 win 5840 (DF) [tos 0x8]
10:49:08.031314 192.168.15.10.1037 > 129.174.1.13.35376: . 1461:2921(1460) ack 1 win 5840 (DF) [tos 0x8]
10:49:08.038016 129.174.1.13.35376 > 192.168.15.10.1037: F 1:1(0) ack 43522 win 49640 (DF)
10:49:08.038070 192.168.15.10.1037 > 129.174.1.13.35376: . ack 2 win 5840 (DF)
10:49:10.012613 129.174.1.13.35375 > 192.168.15.10.ftp: P 69:75(6) ack 297 win 49569 (DF)
10:49:10.012836 192.168.15.10.ftp > 129.174.1.13.35375: P 297:311(14) ack 75 win 5840 (DF)
10:49:10.013471 129.174.1.13.35375 > 192.168.15.10.ftp: F 75:75(0) ack 311 win 49569 (DF)
10:49:10.014115 192.168.15.10.ftp > 129.174.1.13.35375: F 311:311(0) ack 76 win 5840 (DF)
10:49:10.014590 129.174.1.13.35375 > 192.168.15.10.ftp: . ack 312 win 49569 (DF)
10:49:10.578376 192.168.15.10.34391 > 129.174.1.13.domain: 64772+ PTR? 2.12.147.198.in-addr.arpa. (43) (DF)
101 packets received by filter
0 packets dropped by kernel
[root@dca2-LinuxES root]#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: