I am working on a zone-based firewall for a new location. I am currently working on getting connections to infrastructure devices (2960 switch, WAVE 574). I have a zone pair defined with an outside and a INFRA zone. The class map is a match access-group line, and the access-list is working for ssh and syslog. However I have teh WAVE device at a software version higher than my current standard (brand-new device) and have to ftp the downgrade code to the device from the ftp server. I have the following in the access-list
As you can see it has matched 3 times. The builtin WAAS procedure is to ftp to the server, change to binary mode, go to PASV mode, CWD to the specified directory, gets successfull, sends PASV again, then tries to download the file. At that point it breaks, giving a timeout error. The logs show tcp being denied between the wave device an the ftp server, both on upper ports. FTP handling should not be a problem, the firewalls have been handling it for years. What am I missing here? I checked the rest of the ACL above the ftp line, that is the only line that could possibly be hit by the addresses involved.
You'll need to make sure that your zone-pair's policy includes a class-map that uses 'match protocol ftp' and that the 'inspect' action is applied for this class of traffic. Since FTP opens a secondary data connection with a dynamically allocated port, ZBF needs to be able to see this port and dynamically allow the data channel through the firewall. Otherwise, you would need to permit all TCP traffic between the WAVE and the FTP server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...