Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP Problem in ASA (Urgent)

I have firewall ASA with 8.0(4) version. Everything is working fine but recently we started one proejct which involves upload the files on FTP server located on outside the network over the internet.

Other FTP services are working fine but this FTP server is require port 6521 which i have opeend but still not able to connect. Only if i will open full IP address for a user he can connect and see the file listing on the serers but by opening TCP and UDP port 6521 is not working. I have attached the packet capture which shows the connection is establish on port 6521 but then dynamic port assignment is showing. I have also check with inspect FTP and by disabling it but no luck.

access-list acl-in extended permit tcp 192.168.51.0 255.255.255.0 host 111.121.249.247 eq 6521
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 30100
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 30000
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq ftp
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq ftp-data
access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 111.121.249.247 eq 6521
access-list acl-in extended permit tcp 192.168.88.0 255.255.255.0 host 111.121.249.247 eq 6521 

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect pptp
  inspect ftp

Please let me know how to solve the problem. YOur prompt helpe will be highly appreciated.

6 REPLIES
Cisco Employee

Re: FTP Problem in ASA (Urgent)

Hi,

The reason for that is because with "class-map inspection_default". inspection for FTP is done on TCP/21 only. To enable it on a different port like in our case TCP/6521, you will need to create another class-map matching that traffic and then perform inspection.

For example,

access-list FTP permit tcp any host 111.121..249.247 eq 6521

access-list FTP permit tcp host 111.121..249.247 eq 6521 any


class-map FTP

match access-list FTP


policy-map global_policy

class FTP

inspect ftp

To confirm if packets are being redirected and inspected, you can run a "show service-policy" and see counters incrementing. Let me know if this helps!!

Thanks and Regards,

Prapanch

New Member

Re: FTP Problem in ASA (Urgent)

I configure the class-map but still not luck.

show access-list ftp-list
access-list ftp-list; 2 elements
access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=2) 0x4f2ddd4a
access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4

show access-list ftp-list
access-list ftp-list; 2 elements
access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=4) 0x4f2ddd4a
access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4

show service-policy    

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 74601620, drop 327772, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 44466, drop 0, reset-drop 0
      Inspect: h323 ras _default_h323_map, packet 44643, drop 44643, reset-drop 0
      Inspect: netbios, packet 375597, drop 0, reset-drop 0
      Inspect: rsh, packet 44463, drop 0, reset-drop 0
      Inspect: rtsp, packet 44486, drop 0, reset-drop 0
      Inspect: skinny , packet 44466, drop 0, reset-drop 0
      Inspect: esmtp _default_esmtp_map, packet 446745675, drop 13344, reset-drop 0
      Inspect: sunrpc, packet 68074, drop 0, reset-drop 0
      Inspect: tftp, packet 22322, drop 22322, reset-drop 0
      Inspect: sip , packet 66788, drop 0, reset-drop 0
      Inspect: xdmcp, packet 22323, drop 22323, reset-drop 0
      Inspect: pptp, packet 67131, drop 0, reset-drop 0
      Inspect: ftp, packet 169532, drop 0, reset-drop 0

    Class-map: ftp-class
      Inspect: ftp, packet 33, drop 0, reset-drop 2

    Class-map: class-default

      Default Queueing
      Set connection policy:         drop 0
      Set connection decrement-ttl

Please let me know how to solve it.

Cisco Employee

Re: FTP Problem in ASA (Urgent)

Hi Wasim,

Please run the following command to check how the ASA is inspecting the ftp requests from outside, with the configuration suggested for non-standard ftp inspection suggested by Prapanch:

show service-policy flow tcp host 192.168.51.10 host 111.121.249.247 eq 6521 

Cheers,
Rudresh V

Cisco Employee

Re: FTP Problem in ASA (Urgent)

Hi,

That's interesting. I can see packets being inspected as below:

  Class-map: ftp-class
      Inspect: ftp, packet 33, drop 0,  reset-drop 2

Please post the output of "shojw service-policy inspect ftp". Also, if possible, please get the bidirectional captures.

Thanks and Regards,

Prapanch

New Member

Re: FTP Problem in ASA (Urgent)

Please see the below mention output.

show service-policy flow tcp host 192.168.80.89 host 111.121.249.247

Global policy:
  Service-policy: global_policy
    Class-map: ftp-class
      Match: access-list ftp-list
        Access rule: permit tcp any any eq 6521
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:
        Output flow:        Input flow:  set connection decrement-ttl
ENOCDC-FW01/Rack1# show service-policy flow tcp host 192.168.80.89 host 111.121.249.247

Global policy:
  Service-policy: global_policy
    Class-map: ftp-class
      Match: access-list ftp-list
        Access rule: permit tcp any any eq 6521
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:
        Output flow:        Input flow:  set connection decrement-ttl
ENOCDC-FW01/Rack1# show service-policy inspect ftp                 

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 0, drop 0, reset-drop 0
    Class-map: ftp-class
      Inspect: ftp, packet 36, drop 0, reset-drop 2
ENOCDC-FW01/Rack1# show service-policy flow tcp host 192.168.80.89 host 111.121.249.247

Global policy:
  Service-policy: global_policy
    Class-map: ftp-class
      Match: access-list ftp-list
        Access rule: permit tcp any any eq 6521
      Action:
        Input flow:  inspect ftp
    Class-map: class-default
      Match: any
      Action:
        Output flow:        Input flow:  set connection decrement-ttl

Please help me out how to fix this issue.

Cisco Employee

Re: FTP Problem in ASA (Urgent)

Hi,

As i had mentioned before, please get the bidirectional captures in .pcap format on the "inside" interface, that is, traffic from and to the server. To apply and gather captures in a .pcap format, please refer the below document:

https://supportforums.cisco.com/docs/DOC-1222

Regards,

Prapanch

906
Views
0
Helpful
6
Replies