cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
0
Helpful
5
Replies

FTP issue

lkadlik
Level 1
Level 1

I have a server on a dmz that can ftp a file using the web browser and you can connect to the ftp server via the command line.   However, when one of the developers tries to use a script to transfer the file it does not work.  Additionally, when you connect to the ftp server via the command line and try to run the ls command you receive an error message saying " 500 illegal port".

I know that ftp is allowed on the firewall and ftp is part of the default global inspection policy.  It looks like this is a PASV vs active issue.  However in windows it does not allow you to swtich to passive mode.

Other then opening up all high level ports for this connection , does anyone have a suggestion on what/ if anything I can do on the firewall?

thank you

5 Replies 5

Hi,

I'm not sure if this might help:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738

You can see what is the behavior of the normal default FTP inspection on the ASA and you can additionally create an FTP inspection map to specify different behavior.

Hope it helps.

Federico.

praprama
Cisco Employee
Cisco Employee

Hey,

Could you provide details as to where is the client located with respect to the ASA and also IP address details of the ASA and the server along with the current ASA config (with altered IP addresses if needed)? We can go through that and see if we notice anything wrong on the ASA.

Thanks and Regards,

Prapanch

The client is on the dmz and can connect to the ftp server via the command line and transfer the file using a browser.

a.b.c.f is the ftp server

a.b.c.g is the client

The relevant parts of the config are as follows:

:

ASA Version 8.0(3)

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address a.b.c.d 255.255.255.0 standby a.b.c.e

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.20.30.2 255.255.255.0 standby 10.20.30.3

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/2.1

description LAN Failover Interface

vlan 28

!

interface GigabitEthernet0/2.2

description STATE Failover Interface

vlan 29

!

interface GigabitEthernet0/3

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.50.2 255.255.255.0 standby 192.168.50.3

!

interface Management0/0

shutdown

nameif managment

security-level 100

no ip address

!

same-security-traffic permit inter-interface

object-group network FTP

network-object host a.b.c.f

object-group service FTP_service

service-object tcp eq ftp-data

service-object tcp eq ftp

service-object tcp range 5500 5700

 

access-list acl_Inside extended deny object-group Anonymous any object-group BlackList

access-list acl_Inside extended deny ip a.b.c.0 255.255.255.0 any

access-list acl_Inside extended deny ip 192.168.50.0 255.255.255.0 any

access-list acl_Inside extended deny ip host 255.255.255.255 any

access-list acl_Inside extended deny ip 127.0.0.0 255.0.0.0 any

access-list acl_Inside extended permit ip any any

access-list acl_DMZ extended permit tcp host 192.168.50.51 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.180 eq smtp

access-list acl_DMZ extended permit tcp host 192.168.50.54 host 192.168.50.246 eq smtp

access-list acl_DMZ extended deny ip 192.168.50.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list acl_DMZ extended permit ip 192.168.50.0 255.255.255.0 any

access-list acl_Outside extended permit object-group FTP_service any object-group FTP

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu managment 1500

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

 

static (inside,outside) a.b.c.f 10.20.30.55 netmask 255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102 netmask 255.255.255.255

access-group acl_Outside in interface outside

access-group acl_Inside in interface inside

access-group acl_DMZ in interface dmz

!

!

policy-map Global_Policy

description Global Policy for Traffic Inspection

class Inspection_Default

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect ipsec-pass-thru

inspect mgcp

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect snmp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

!

service-policy Global_Policy global

prompt hostname context

Cryptochecksum:fd174eacd4f91d6b5b3ef484f5365abe

: end

Hi,

You have mentioned that both the client and the serve rare on the DMZ. But in the config i see the below 2 static commands redircting a.b.c.f (server) and a.b.c.g (client) to the inside interface.

static (inside,outside) a.b.c.f 10.20.30.55 netmask  255.255.255.255

static (inside,outside) a.b.c.g 10.20.25.102  netmask 255.255.255.255

I am not quite sure about the topology yet. Could you clarify things a little bit more here?

Regards,

Prapanch

It looks like this might be a barracuda issue.  Thank you for taking the time to respond to me

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: