cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8175
Views
0
Helpful
14
Replies

ftp dir list "hang" on asa 8.3

Anyone

I upgraded to 8.3.2 using ASDM 6.3.(4).

Got severel challanges with NAT and Access list statements. Think those are sorted out.

However I run an FTP server on the inside network, want any to access this. I can log in to the server from outside (so i guess the nat and access list are ok)

When I try to do an LIST on the ftp server I get a 425 Can't open data connection error from the server.

I also do an ftp inspect:

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ip-options

Help please!

br

hkl

1 Accepted Solution

Accepted Solutions

Hello,

Hehehe, I noticed, but thats ok. Thanks so much for taking those captures. I can see that the server sends out the port 20 in order to establish the Data connection with the client, but the client never respond. Here is two things that we can try.

Would youp please open command prompt on the PC and try to open the ftp connection over there? ftp and once you are there just type list

If it doesnt work, download wireshark on that computer, start sniffing and check if the SYN packet on port 20 gets to the client from the server.

Hey, if you need clarification on anything just let me know ok?

Cheers.

Mike.

Mike

View solution in original post

14 Replies 14

Panos Kampanakis
Cisco Employee
Cisco Employee

It seems the data channel fails.

You are probably not translating the high data channel port active ftp would use. What does the "debug ftp" show you? And logs on the ASA?

PK

pkampana wrote:

It seems the data channel fails.

You are probably not translating the high data channel port active ftp would use. What does the "debug ftp" show you? And logs on the ASA?

PK

pkampana, thanks for your response.

"deb ftp" from command line as in deb ftp client does not show anything, the logs on the asa (syslog) show no "deny's", se below:

Hmmm, seems I can't cut'n paste into this editor, se attached file for logs.

Thanks

hkl

6          Nov 04 2010      07:06:54                        85.95.45.106     39154   192.168.1.50     20         Built inbound TCP connection 64482 for outside:85.95.45.106/39154 (85.95.45.106/39154) to inside:192.168.1.50/20 (62.89.40.36/20)

6          Nov 04 2010      07:06:53                        85.95.45.106     57354   192.168.1.50     21         Built inbound TCP connection 64481 for outside:85.95.45.106/57354 (85.95.45.106/57354) to inside:192.168.1.50/21 (62.89.40.36/21)

tell me that control and data connections are allowed. The problem probably resides somewhere else.

Do a capture on the ASA inside "capture capin interface inside match ip host 192.168.1.50 host 85.95.45.106", try the transfer and look at the packets "sh cap capin".

I hope it helps.

PK

pkampana wrote:

6          Nov 04 2010      07:06:54                        85.95.45.106     39154   192.168.1.50     20         Built inbound TCP connection 64482 for outside:85.95.45.106/39154 (85.95.45.106/39154) to inside:192.168.1.50/20 (62.89.40.36/20)

6          Nov 04 2010      07:06:53                        85.95.45.106     57354   192.168.1.50     21         Built inbound TCP connection 64481 for outside:85.95.45.106/57354 (85.95.45.106/57354) to inside:192.168.1.50/21 (62.89.40.36/21)

tell me that control and data connections are allowed. The problem probably resides somewhere else.

Do a capture on the ASA inside "capture capin interface inside match ip host 192.168.1.50 host 85.95.45.106", try the transfer and look at the packets "sh cap capin".

I hope it helps.

PK

Hello again

Been away for some days, so looking back into this problem now.

See attached file for result of the capture, bit above my head, so much appreciated if you could advice.

br

hkl

Maykol Rojas
Cisco Employee
Cisco Employee

Hello,

Mike here, What type of FTP server are you running? Is it passive or active? On the show service policy, do you see the FTP inspection having any kind of drops?

Let me know.

Cheers

Mike

Mike

This is active ftp with client on the outside. If you allow tcp 20 and 21 on the outside acl it should work without ftp inspection.

I would remove this server 192.168.1.50 temporarily and use a laptop or other PC with the same ip address 192.168.1.50 and install filezilla server on it. And see if it works.

You can get filezilla here: http://filezilla-project.org/download.php?type=server

Make sure it is set to active ftp. Verify here: http://support.tigertech.net/filezilla-passive

-KS

kusankar wrote:

This is active ftp with client on the outside. If you allow tcp 20 and 21 on the outside acl it should work without ftp inspection.

I would remove this server 192.168.1.50 temporarily and use a laptop or other PC with the same ip address 192.168.1.50 and install filezilla server on it. And see if it works.

You can get filezilla here: http://filezilla-project.org/download.php?type=server

Make sure it is set to active ftp. Verify here: http://support.tigertech.net/filezilla-passive

-KS

Hello and thanks for the responce.

Port 20 and 21 is alowed. I tried to change the server to a vsftpd running on a linux, same result.

Seems that the link to set active/passive ftp in FileZilla is for the client not the server, the server options intf does not have a "tab" for active/passive.

hkl

mayrojas wrote:

Hello,

Mike here, What type of FTP server are you running? Is it passive or active? On the show service policy, do you see the FTP inspection having any kind of drops?

Let me know.

Cheers

Mike

Hello Mike

Thanks for your responce.

Hello mike, thanks for your response.


I'm running a FileZilla server 0.9.37 (btw: everything worked fine before the upgrade to 8.3) Not really sure if the server is passive or active, there are only two settings in for passive mode in the server, defining external IP, and also specifying a custom port range.

anubis(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!

anubis(config)# sh service-policy global

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 1079, drop 0, reset-drop 0
      Inspect: ftp, packet 470, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 49, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
anubis(config)#

Hello Kristian,

Do you think that you can do the same capture that Panos Asked you on the outside, download them in pcap format and send them here? The only difference would be that instead of the private IP you will use the public IP of the server. Capture both sides inside and outside.

In order to download them, the only thing that you need to do is enable the http server on the ASA (HTTP server enable) and put the following URL on the web browser

https:///capture//pcap

For me, it seems like the data channel is not going out, take a look at this

  41: 08:02:48.680201 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535

  44: 08:02:51.654629 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535
  45: 08:02:57.691660 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535

Is the Data channel that the server is trying to open.

Let me know if you are able to download the captures of if you need further explanation of how to do it.

Thanks.

Mike

Thanks for helping me out here.

Attached 2 files

capture capout interface outside match ip host 62.89.40.36 host 85.95.45.106 (pcap)

capture capin interface inside match ip host 62.89.40.36 host 85.95.45.106 (pcap(2))

Hope this is the right cptures you look for.

Again, thanks

hkl

Oops

Seems that only one file was attached, heres the next.

hkl

Hello,

Hehehe, I noticed, but thats ok. Thanks so much for taking those captures. I can see that the server sends out the port 20 in order to establish the Data connection with the client, but the client never respond. Here is two things that we can try.

Would youp please open command prompt on the PC and try to open the ftp connection over there? ftp and once you are there just type list

If it doesnt work, download wireshark on that computer, start sniffing and check if the SYN packet on port 20 gets to the client from the server.

Hey, if you need clarification on anything just let me know ok?

Cheers.

Mike.

Mike

Mike

I'm going to hang myself untill it realy hurts.

Your last post got me on the right track, I've already testet other ftp clients, but from the same client machine. So I logged into a Linux server I have lokated externaluy, and it worked fine.

Had to think a bit and realised I HATE WINDOWS FIREWALL, turned it of on the client machine and we are all set.

Thanks a lot to all of you who have wasted time on my stupidity.

hkl

Hopfully I learned something in the process.

Hello,


Hehehhehehehe Yay! At least we had it working .... Next time you wont forget... It was a pleasure helping you....

Cheers.

Mike.

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: