We have an unclass setup where we are PAT'ing to the internet via a 2911 router. We've found that passive FTP from internal (client) to public ftp server is not working and I've confirmed there is no ACL denying. The initial connection (login) is fine but when trying to actually send data we see timeouts. I'm thinking this is because I'm not doing this on a firewall with inspect ftp enabled.
So I enabled the security feature so I could configure CBAC but that doesn't seem to correct my problem with FTP (active and/or passive). G0/0 is my interface to the outside world and I'm applying the CBAC there. Let me know what you think....I'm sure someone has ran into this before and I'm stumped here.
Below are snippits of my config...
OUTPUT and CONFIG snippets
ip inspect name firewall ftp
ip inspect name firewall tcp
access-list 199 deny ip any any
ip address x.x.x.x x.x.x.x
ip access-group 199 in
no ip redirects
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
"show inspect all" shows the following and indicates to me that it is applied correctly. I even see the router tracking (inspecting sessions) via the "show inspect sessions" command.
#sho ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
Thanks for the reply but I have since learned that I should not neet CBAC for passive FTP connections. I have also learned that through windows ftp.exe you cannot do passive FTP, even though the quote PASV seems to put it in that mode. Evidently, it only tells the server to go passive but windows doesn't support PASV....interesting!
I did end up downloading a FTP client that does support PASV mode but am still unable to get it to work through my PAT router. I think the key here is it's a PAT router and not a firewall/ASA. I've tested PAT through a stateful firewall and it works fine....no issue at all. Very interesting stuff here and it is fustrating the heck out of me as to why I can't get this to work!!! Any help appreciated.
Based on the information which you provided earlier, data connection from client to server is failing. And that is the reason I requested for above outputs, these can help us understand the point of failure.
In addition, can you run wireshark on host and post the captures as well?
I attached a capture from the client perspective. Please let me know what you think but fromm what I can tell is that I'm not getting a response from the server for some reason....I don't think this really indicates what is the problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...