Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP Inspection Failed

We recently have problems with some clent ftp to our ftp site when they were using ftp active mode. And the session was terminated by the FW, ASA 5580.

%ASA-4-406002: FTP port command different address: 174.129.205.194(10.204.138.136) to ftp.ncbi on interface outside

It was working and don't know why only have trouble recently?

It still works for some clients, like Windows 7 even when it is behind a router doing NAT.

How we should tune the policy for "ftp inspection" on ASA. (Cisco Adaptive Security Appliance Software Version 8.2(4)5 )

Thanks,

Tony

2 REPLIES
New Member

FTP Inspection Failed

Hi,

Attached is the explantion given for the mentioned log

Explanation    A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site.s security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parenthesis is the address from the port command.

Is the address in paranthesis that of the client accessing the FTP service?

New Member

FTP Inspection Failed

Yes, you are right.

The packet I captured in front of FW looks like "PORT 192,168,1,9,19,137\r\n" and "Active IP address: 192.168.1.9 (192.168.1.9)".

Very interestingly, same client accessing an identical FTP server (but it has been put outside of the FW) with a correct PORT Command which has rewrite this private IP to a public IP (the source IP of the packets).

Any idea why this happened? I checed the packets sent from the server to the client before this PORT Command. Seems to me all is identical. I don't see the server has gave the client any hint to use different styles of "PORT Command" to access me.

1002
Views
0
Helpful
2
Replies
CreatePlease login to create content