cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1159
Views
5
Helpful
4
Replies

Checkpoint to ASA migration. Problems with pasv ftps.

thomsmith
Level 1
Level 1

Moving from Checkpoint to ASA. Migrated about 20% of my policies earlier this week and had to back out one. ftps from 10.60.10.205 (inside) destined for 65.217.149.5 (prod-outside). Users got error message 500 Illegal PORT range when entering pasv mode...

220 pw-sftp-cl1.nmhcrx.com FTP server (Version 6.00LS+TLS) ready.

AUTH SSL

234 AUTH SSL command successful.

SSL Session Started.

Host type (1): Automatic detect

USER myuser

331 Password required for myuser.

PASS (hidden)

230 User myuser logged in, access restrictions apply.

SYST

215 UNIX Type: L8

Host type (2): UNIX (standard)

PBSZ 0

200 PBSZ command successful (PBSZ=0).

PROT C

504 PROT command not available in FTP-SSL compatibility mode.

PWD

257 "/" is current directory.

TYPE A

200 Type set to A.

PASV

227 Entering Passive Mode (65,217,149,5,165,146)

connecting data channel to 65.217.149.5:165,146(42386)

PORT 10,60,10,205,11,71

500 Illegal PORT range rejected.

Port failed 500 Illegal PORT range rejected.

QUIT

221 Goodbye.

Connection closed.

Ftp inspection is enabled. Do I need to exclude this from inspection because it is encrypted? If so, how do I handle the data channel and associated dynamic ports?

Tried fixup protocol ftp 21 based upon feedback in another NetPro discussion.

Also modified policy and nat rules to permit both tcp/ftp and tcp/ftp-data.

I'm new to the ASA and not having much luck with TAC. Most recent feedback from TAC "Let me do some research about it since I am not sure if FTPS is supported on ASA firewalls. I will keep you posted." Any suggestions?

Relevant configuration items.

NAT...

access-list inside_nat_outbound_1 extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_12

nat (inside) 10 access-list inside_nat_outbound_1

ACL...

access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings

access-group from-inside in interface inside

(DM_INLINE_TCP_12 and DM_INLINE_TCP_13 object-groups include tcp/ftp and tcp/ftp-data)

Inspection Policy...

access-list mss-exceeded-acl extended permit ip any any inactive

class-map mss-exceeded-map

match access-list mss-exceeded-acl

tcp-map mss-exceeded-map

exceed-mss allow

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

id-randomization

id-mismatch action log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http

inspect ils

inspect dns preset_dns_map

inspect ipsec-pass-thru

class mss-exceeded-map

set connection advanced-options mss-exceeded-map

!

service-policy global_policy global

4 Replies 4

a.alekseev
Level 7
Level 7

try this

no access-list from-inside extended permit tcp net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com object-group DM_INLINE_TCP_13 log warnings

access-list from-inside extended permit ip net-mynet-10.60.0.0 255.255.0.0 host ftps.nmhcrx.com

access-group from-inside in interface inside

Unfortunately my user and their login credentials have left for the day. I'll try tomorrow am EST. Unsure this will make any difference. I'm not seeing any drops in the logs.

thomsmith
Level 1
Level 1

It appears outbound request for data channel is being blocked. The server side randomly assigns a high port in pasv mode. My client then attempts to connect on this high port and is being blocked. FTP inspection would normally pick this up and allow the high port. It doesn't work here because all of the payload is encrypted. Interim fix is allow all ip outbound to this particular destination. Not really a good long term solution. Any better suggestions out there?

"Moving from Checkpoint to ASA." That's a mistake if you asked me.

You will lose a lot of functions in Checkpoint that you have taken

for granted. Then again, it may be a corporate decision that you

do not have a choice.

1- you do not need to allow all IP outbound to this particular

destination. You just need to allow tcp high-ports to this

destination, not IP,

2- Ask the folks on the other end if they can restrict the

number of tcp high-ports that FTPs can assign. This can

be done very easily on both Microsoft IIS Server and vsFTPd

server for Linux. In vsFTPd, check the vsftpd.conf file and

you will see it there. Normally, you want to restrict the

ftp-data ports in pasv mode between 2000 and 2100.

Easy right?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: